diff options
-rw-r--r-- | krebs/3modules/default.nix | 16 | ||||
-rw-r--r-- | krebs/3modules/github-hosts-sync.nix | 35 | ||||
-rw-r--r-- | krebs/4lib/types.nix | 7 | ||||
-rw-r--r-- | krebs/5pkgs/default.nix | 1 | ||||
-rw-r--r-- | krebs/5pkgs/github-hosts-sync/default.nix | 2 | ||||
-rw-r--r-- | krebs/5pkgs/github-known_hosts/default.nix | 13 | ||||
-rw-r--r-- | krebs/5pkgs/github-known_hosts/github.ssh.pub | 1 | ||||
-rw-r--r-- | tv/1systems/cd.nix | 1 | ||||
-rw-r--r-- | tv/1systems/wu.nix | 1 | ||||
-rw-r--r-- | tv/2configs/urlwatch.nix | 3 |
10 files changed, 39 insertions, 41 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index edfbde9ba..ea1894709 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -138,6 +138,22 @@ let mkIf (privkey != null) (mkForce [privkey]); services.openssh.knownHosts = + # GitHub's IPv4 address range is 192.30.252.0/22 + # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/ + # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses) + # Because line length is limited by OPENSSH_LINE_MAX (= 8192), + # we split each /24 into its own entry. + listToAttrs (map + (c: { + name = "github${toString c}"; + value = { + hostNames = ["github.com"] ++ + map (d: "192.30.${toString c}.${toString d}") (range 0 255); + publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; + }; + }) + (range 252 255)) + // mapAttrs (name: host: { hostNames = diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index f44fe3ad8..2a1df9e03 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: with builtins; -with lib; +with import ../4lib { inherit lib; }; let cfg = config.krebs.github-hosts-sync; @@ -21,7 +21,7 @@ let default = "/var/lib/github-hosts-sync"; }; ssh-identity-file = mkOption { - type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} + type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"]; default = toString <secrets/github-hosts-sync.ssh.id_rsa>; }; }; @@ -41,27 +41,11 @@ let ExecStartPre = pkgs.writeScript "github-hosts-sync-init" '' #! /bin/sh set -euf - - ssh_identity_file_target=$( - case ${cfg.ssh-identity-file} in - *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;; - *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;; - *) - echo "bad identity file name: ${cfg.ssh-identity-file}" >&2 - exit 1 - esac - ) - - mkdir -p ${cfg.dataDir} - chown ${user.name}: ${cfg.dataDir} - - install \ - -o ${user.name} \ - -m 0400 \ + install -m 0711 -o ${user.name} -d ${cfg.dataDir} + install -m 0700 -o ${user.name} -d ${cfg.dataDir}/.ssh + install -m 0400 -o ${user.name} \ ${cfg.ssh-identity-file} \ - "$ssh_identity_file_target" - - ln -snf ${pkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts + ${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file} ''; ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync"; }; @@ -77,5 +61,8 @@ let name = "github-hosts-sync"; uid = 3220554646; # genid github-hosts-sync }; -in -out + + # TODO move to lib? + fileExtension = s: last (splitString "." s); + +in out diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 039f803ef..b3d2c8b70 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -147,6 +147,13 @@ types // rec { merge = mergeOneOption; }; + suffixed-str = suffs: + mkOptionType { + name = "string suffixed by ${concatStringsSep ", " suffs}"; + check = x: isString x && any (flip hasSuffix x) suffs; + merge = mergeOneOption; + }; + user = submodule { options = { mail = mkOption { diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index 616992b95..c48c3dee8 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -13,7 +13,6 @@ rec { genid = callPackage ./genid {}; get = callPackage ./get {}; github-hosts-sync = callPackage ./github-hosts-sync {}; - github-known_hosts = callPackage ./github-known_hosts {}; hashPassword = callPackage ./hashPassword {}; jq = callPackage ./jq {}; krebszones = callPackage ./krebszones {}; diff --git a/krebs/5pkgs/github-hosts-sync/default.nix b/krebs/5pkgs/github-hosts-sync/default.nix index d69b2b12b..b9dcfa9b8 100644 --- a/krebs/5pkgs/github-hosts-sync/default.nix +++ b/krebs/5pkgs/github-hosts-sync/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { installPhase = let - ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt"; + ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; path = stdenv.lib.makeSearchPath "bin" (with pkgs; [ coreutils findutils diff --git a/krebs/5pkgs/github-known_hosts/default.nix b/krebs/5pkgs/github-known_hosts/default.nix deleted file mode 100644 index fe5efe413..000000000 --- a/krebs/5pkgs/github-known_hosts/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: - -with builtins; -with lib; - -let - github-pubkey = removeSuffix "\n" (readFile ./github.ssh.pub); -in - -toFile "github-known_hosts" - (concatMapStrings - (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n") - (range 0 255)) diff --git a/krebs/5pkgs/github-known_hosts/github.ssh.pub b/krebs/5pkgs/github-known_hosts/github.ssh.pub deleted file mode 100644 index 90f6e2b71..000000000 --- a/krebs/5pkgs/github-known_hosts/github.ssh.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 4f66b3592..4f196095b 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -30,6 +30,7 @@ with lib; #../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix + ../2configs/urlwatch.nix { imports = [ ../2configs/charybdis.nix ]; tv.charybdis = { diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index e54aed056..0ef846f93 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -32,7 +32,6 @@ with lib; ../2configs/xserver.nix ../2configs/synaptics.nix # TODO w110er if xserver is enabled ../2configs/test.nix - ../2configs/urlwatch.nix { environment.systemPackages = with pkgs; [ diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix index 26e56e09c..c1c5d19d9 100644 --- a/tv/2configs/urlwatch.nix +++ b/tv/2configs/urlwatch.nix @@ -48,6 +48,9 @@ #http://hackage.haskell.org/package/transformers #http://hackage.haskell.org/package/web-routes-wai #http://hackage.haskell.org/package/web-page + + # ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github* + https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/ ]; }; } |