nixos-config/lib/fudo/ssh.nix

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  has-attrs = set: length (attrNames set) > 0;
  host-keypairs =
    if (hasAttr hostname config.fudo.secrets.files.host-ssh-keypairs) then
      config.fudo.secrets.files.host-ssh-keypairs.${hostname}
    else [];


  sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record";

  dns-sshfp-records = host: keypair: let
    filename = sshfp-filename host keypair;
  in pkgs.stdenv.mkDerivation {
    name = "${host}-sshfp-record";

    phases = [ "installPhase" ];

    buildInputs = with pkgs; [ openssh ];

    installPhase = ''
      mkdir $out
      ssh-keygen -r REMOVEME -f "${keypair.public-key}" | sed 's/^REMOVEME IN SSHFP //' > $out/${filename}
    '';
  };

  host-cfg = config.fudo.hosts.${hostname};

in {
  config = {
    fudo = {
      secrets.host-secrets.${hostname} = listToAttrs
        (map
          (keypair: nameValuePair "host-${keypair.key-type}-private-key" {
            source-file = keypair.private-key;
            target-file = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
            user = "root";
          })
          host-keypairs);

      hosts = mapAttrs (hostname: keypairs: {
        ssh-pubkeys = map (keypair: keypair.public-key) keypairs;
        ssh-fingerprints = map (keypair:
          let
            fingerprint-derivation = dns-sshfp-records hostname keypair;
            filename = sshfp-filename hostname keypair;
          in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs;
      }) config.fudo.secrets.files.host-ssh-keypairs;


    };

    services.openssh.hostKeys = map (keypair: {
      path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
      type = keypair.key-type;
    }) host-keypairs;

    programs.ssh.knownHosts = let

      keyed-hosts =
        filterAttrs (h: o: o.ssh-pubkeys != [])
          config.fudo.hosts;

      crossProduct = f: list0: list1:
        concatMap (el0: map (el1: f el0 el1) list1) list0;

      all-hostnames = hostname: opts:
        [ hostname ] ++
        (crossProduct (host: domain: "${host}.${domain}")
          ([ hostname ] ++ opts.aliases)
          ([ opts.domain ] ++ opts.extra-domains));

    in mapAttrs (hostname: hostOpts: {
      publicKeyFile = builtins.head hostOpts.ssh-pubkeys;
      hostNames = all-hostnames hostname host-cfg;
    }) keyed-hosts;
  };
}
Initial, broken 2021-09-29 17:55:13 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`
Various minor fixes 2021-09-29 18:44:33 -07:00			`hostname = config.instance.hostname;`
Initial, broken 2021-09-29 17:55:13 -07:00			`has-attrs = set: length (attrNames set) > 0;`
Various minor fixes 2021-09-29 18:44:33 -07:00			`host-keypairs =`
			`if (hasAttr hostname config.fudo.secrets.files.host-ssh-keypairs) then`
			`config.fudo.secrets.files.host-ssh-keypairs.${hostname}`
			`else [];`

Initial, broken 2021-09-29 17:55:13 -07:00
			`sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record";`

			`dns-sshfp-records = host: keypair: let`
			`filename = sshfp-filename host keypair;`
Working flake check 2021-09-30 08:40:47 -07:00			`in pkgs.stdenv.mkDerivation {`
			`name = "${host}-sshfp-record";`
Initial, broken 2021-09-29 17:55:13 -07:00
Working flake check 2021-09-30 08:40:47 -07:00			`phases = [ "installPhase" ];`

			`buildInputs = with pkgs; [ openssh ];`
Initial, broken 2021-09-29 17:55:13 -07:00
			`installPhase = ''`
Working flake check 2021-09-30 08:40:47 -07:00			`mkdir $out`
			`ssh-keygen -r REMOVEME -f "${keypair.public-key}" \| sed 's/^REMOVEME IN SSHFP //' > $out/${filename}`
Initial, broken 2021-09-29 17:55:13 -07:00			`'';`
			`};`

Added master keys 2021-09-30 11:30:32 -07:00			`host-cfg = config.fudo.hosts.${hostname};`

Initial, broken 2021-09-29 17:55:13 -07:00			`in {`
			`config = {`
			`fudo = {`
Various minor fixes 2021-09-29 18:44:33 -07:00			`secrets.host-secrets.${hostname} = listToAttrs`
			`(map`
			`(keypair: nameValuePair "host-${keypair.key-type}-private-key" {`
Initial, broken 2021-09-29 17:55:13 -07:00			`source-file = keypair.private-key;`
			`target-file = "/var/run/ssh/private/host-${keypair.key-type}-private-key";`
			`user = "root";`
Various minor fixes 2021-09-29 18:44:33 -07:00			`})`
			`host-keypairs);`
Initial, broken 2021-09-29 17:55:13 -07:00
			`hosts = mapAttrs (hostname: keypairs: {`
			`ssh-pubkeys = map (keypair: keypair.public-key) keypairs;`
			`ssh-fingerprints = map (keypair:`
			`let`
Working flake check 2021-09-30 08:40:47 -07:00			`fingerprint-derivation = dns-sshfp-records hostname keypair;`
Initial, broken 2021-09-29 17:55:13 -07:00			`filename = sshfp-filename hostname keypair;`
			`in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs;`
Various minor fixes 2021-09-29 18:44:33 -07:00			`}) config.fudo.secrets.files.host-ssh-keypairs;`
Initial, broken 2021-09-29 17:55:13 -07:00

			`};`

Various minor fixes 2021-09-29 18:44:33 -07:00			`services.openssh.hostKeys = map (keypair: {`
			`path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";`
			`type = keypair.key-type;`
			`}) host-keypairs;`
Initial, broken 2021-09-29 17:55:13 -07:00
Working flake check 2021-09-30 08:40:47 -07:00			`programs.ssh.knownHosts = let`

			`keyed-hosts =`
			`filterAttrs (h: o: o.ssh-pubkeys != [])`
			`config.fudo.hosts;`

			`crossProduct = f: list0: list1:`
			`concatMap (el0: map (el1: f el0 el1) list1) list0;`

Added master keys 2021-09-30 11:30:32 -07:00			`all-hostnames = hostname: opts:`
			`[ hostname ] ++`
Working flake check 2021-09-30 08:40:47 -07:00			`(crossProduct (host: domain: "${host}.${domain}")`
Added master keys 2021-09-30 11:30:32 -07:00			`([ hostname ] ++ opts.aliases)`
Working flake check 2021-09-30 08:40:47 -07:00			`([ opts.domain ] ++ opts.extra-domains));`

			`in mapAttrs (hostname: hostOpts: {`
			`publicKeyFile = builtins.head hostOpts.ssh-pubkeys;`
Added master keys 2021-09-30 11:30:32 -07:00			`hostNames = all-hostnames hostname host-cfg;`
Working flake check 2021-09-30 08:40:47 -07:00			`}) keyed-hosts;`
Initial, broken 2021-09-29 17:55:13 -07:00			`};`
			`}`