summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlassulus <lass@aidsballs.de>2015-10-09 13:27:02 +0200
committerlassulus <lass@aidsballs.de>2015-10-09 13:27:02 +0200
commit938b6fe2788d6257d7d273f02c5110e7b641f0a0 (patch)
treeeca3f607444b7b2fa581c112b621a5903085c6a3
parent43a48f25a4009967ac71cdab5cd19022a9742889 (diff)
parentf1cc52aeaf6c18afb1c79c08914471ff73943a77 (diff)
Merge remote-tracking branch 'nomic/master'
-rw-r--r--krebs/3modules/default.nix16
-rw-r--r--krebs/5pkgs/default.nix1
-rw-r--r--krebs/5pkgs/github-known_hosts/default.nix13
-rw-r--r--krebs/5pkgs/github-known_hosts/github.ssh.pub1
4 files changed, 16 insertions, 15 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index edfbde9ba..ea1894709 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -138,6 +138,22 @@ let
mkIf (privkey != null) (mkForce [privkey]);
services.openssh.knownHosts =
+ # GitHub's IPv4 address range is 192.30.252.0/22
+ # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
+ # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
+ # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
+ # we split each /24 into its own entry.
+ listToAttrs (map
+ (c: {
+ name = "github${toString c}";
+ value = {
+ hostNames = ["github.com"] ++
+ map (d: "192.30.${toString c}.${toString d}") (range 0 255);
+ publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+ };
+ })
+ (range 252 255))
+ //
mapAttrs
(name: host: {
hostNames =
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 616992b95..c48c3dee8 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -13,7 +13,6 @@ rec {
genid = callPackage ./genid {};
get = callPackage ./get {};
github-hosts-sync = callPackage ./github-hosts-sync {};
- github-known_hosts = callPackage ./github-known_hosts {};
hashPassword = callPackage ./hashPassword {};
jq = callPackage ./jq {};
krebszones = callPackage ./krebszones {};
diff --git a/krebs/5pkgs/github-known_hosts/default.nix b/krebs/5pkgs/github-known_hosts/default.nix
deleted file mode 100644
index fe5efe413..000000000
--- a/krebs/5pkgs/github-known_hosts/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ lib, ... }:
-
-with builtins;
-with lib;
-
-let
- github-pubkey = removeSuffix "\n" (readFile ./github.ssh.pub);
-in
-
-toFile "github-known_hosts"
- (concatMapStrings
- (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n")
- (range 0 255))
diff --git a/krebs/5pkgs/github-known_hosts/github.ssh.pub b/krebs/5pkgs/github-known_hosts/github.ssh.pub
deleted file mode 100644
index 90f6e2b71..000000000
--- a/krebs/5pkgs/github-known_hosts/github.ssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==