From 9ae6d1611ef8cd8479235ac91272e694080b9d89 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 9 Oct 2015 12:06:00 +0200 Subject: add github.com and its addrs4 to known_hosts --- krebs/3modules/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 430194405..eeb3acdcb 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -137,6 +137,13 @@ let mkIf (privkey != null) (mkForce [privkey]); services.openssh.knownHosts = + { + github = { + hostNames = ["github.com"] ++ + map (i: "192.30.252.${toString i}") (range 0 255); + publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; + }; + } // mapAttrs (name: host: { hostNames = -- cgit v1.2.3 From f1cc52aeaf6c18afb1c79c08914471ff73943a77 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 9 Oct 2015 13:18:21 +0200 Subject: known_hosts: GitHub is 192.30.252.0/22 --- krebs/3modules/default.nix | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index eeb3acdcb..69613d4c3 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -137,13 +137,22 @@ let mkIf (privkey != null) (mkForce [privkey]); services.openssh.knownHosts = - { - github = { - hostNames = ["github.com"] ++ - map (i: "192.30.252.${toString i}") (range 0 255); - publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; - }; - } // + # GitHub's IPv4 address range is 192.30.252.0/22 + # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/ + # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses) + # Because line length is limited by OPENSSH_LINE_MAX (= 8192), + # we split each /24 into its own entry. + listToAttrs (map + (c: { + name = "github${toString c}"; + value = { + hostNames = ["github.com"] ++ + map (d: "192.30.${toString c}.${toString d}") (range 0 255); + publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; + }; + }) + (range 252 255)) + // mapAttrs (name: host: { hostNames = -- cgit v1.2.3 From 87fa7792e3f2debeb221073b393a7909a75a9176 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 9 Oct 2015 13:34:25 +0200 Subject: disband github-known_hosts harder --- krebs/3modules/github-hosts-sync.nix | 2 -- 1 file changed, 2 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index f44fe3ad8..eaec0333a 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -60,8 +60,6 @@ let -m 0400 \ ${cfg.ssh-identity-file} \ "$ssh_identity_file_target" - - ln -snf ${pkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts ''; ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync"; }; -- cgit v1.2.3 From 51e4b62de206cbf692e5f247d595c904c768e202 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 9 Oct 2015 14:08:06 +0200 Subject: krebs.github-host-sync.ssh-identity-file: fix type --- krebs/3modules/github-hosts-sync.nix | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index eaec0333a..4d4e21252 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: with builtins; -with lib; +with import ../4lib { inherit lib; }; let cfg = config.krebs.github-hosts-sync; @@ -21,7 +21,7 @@ let default = "/var/lib/github-hosts-sync"; }; ssh-identity-file = mkOption { - type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} + type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"]; default = toString ; }; }; @@ -42,16 +42,6 @@ let #! /bin/sh set -euf - ssh_identity_file_target=$( - case ${cfg.ssh-identity-file} in - *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;; - *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;; - *) - echo "bad identity file name: ${cfg.ssh-identity-file}" >&2 - exit 1 - esac - ) - mkdir -p ${cfg.dataDir} chown ${user.name}: ${cfg.dataDir} @@ -59,7 +49,7 @@ let -o ${user.name} \ -m 0400 \ ${cfg.ssh-identity-file} \ - "$ssh_identity_file_target" + ${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file} ''; ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync"; }; @@ -75,5 +65,8 @@ let name = "github-hosts-sync"; uid = 3220554646; # genid github-hosts-sync }; -in -out + + # TODO move to lib? + fileExtension = s: last (splitString "." s); + +in out -- cgit v1.2.3 From 694c79a5bc05014604fa2467f965b370102ff78f Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 9 Oct 2015 14:32:45 +0200 Subject: github-hosts-sync service: fix directory creation --- krebs/3modules/github-hosts-sync.nix | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 4d4e21252..2a1df9e03 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -41,13 +41,9 @@ let ExecStartPre = pkgs.writeScript "github-hosts-sync-init" '' #! /bin/sh set -euf - - mkdir -p ${cfg.dataDir} - chown ${user.name}: ${cfg.dataDir} - - install \ - -o ${user.name} \ - -m 0400 \ + install -m 0711 -o ${user.name} -d ${cfg.dataDir} + install -m 0700 -o ${user.name} -d ${cfg.dataDir}/.ssh + install -m 0400 -o ${user.name} \ ${cfg.ssh-identity-file} \ ${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file} ''; -- cgit v1.2.3