nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-config/config/profile-config/host/ssh.nix

64 lines
2.1 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
has-attrs = set: length (attrNames set) > 0;
read-lines = filename: splitString "\n" (fileContents filename);
has-secret-files = hasAttr "files" config.fudo.secrets;
in {
config = mkIf has-secret-files
(let
host-keypairs =
if (hasAttr hostname config.fudo.secrets.files.host-ssh-keypairs) then
config.fudo.secrets.files.host-ssh-keypairs.${hostname}
else [];
in {
fudo = let
sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record";
dns-sshfp-records = host: keypair:
pkgs.stdenv.mkDerivation {
name = "${host}-sshfp-records";
phases = [ "installPhase" ];
buildInputs = with pkgs; [ openssh ];
installPhase =
"ssh-keygen -r REMOVEME -f \"${keypair.public-key}\" | sed 's/^REMOVEME IN SSHFP //' > $out";
};
host-cfg = config.fudo.hosts.${hostname};
in {
secrets.host-secrets.${hostname} = listToAttrs
(map
(keypair: nameValuePair "host-${keypair.key-type}-private-key" {
source-file = keypair.private-key;
target-file = "/run/openssh/private/host-${keypair.key-type}-private-key";
user = "root";
})
host-keypairs);
hosts = mkIf (hasAttr "files" config.fudo.secrets)
(mapAttrs (hostname: keypairs: {
ssh-pubkeys = map (keypair: keypair.public-key) keypairs;
ssh-fingerprints = concatMap (keypair:
let
fingerprint-derivation = dns-sshfp-records hostname keypair;
in read-lines "${fingerprint-derivation}") keypairs;
}) config.fudo.secrets.files.host-ssh-keypairs);
};
services.openssh.hostKeys = let
host-secrets = config.fudo.secrets.host-secrets.${hostname};
in map (keypair: {
path =
host-secrets."host-${keypair.key-type}-private-key".target-file;
type = keypair.key-type;
}) host-keypairs;
});
}
Reference in New Issue View Git Blame Copy Permalink