nix-lib/lib/fetchers/sshKnownHosts/default.nix

{ pkgs, ... }:
pkgs.lib.fetchers.withNormalizedHash { } (
  {
    host,
    name ? "ssh-known-hosts-${host}",
    outputHash,
    outputHashAlgo,
    port ? 22,
    keyTypes ? [
      "rsa"
      "ecdsa"
      "ed25519"
    ],
  }:
  let
    keyTypeArgs = pkgs.lib.concatStringsSep "," keyTypes;
  in
  pkgs.runCommandLocal name
    {
      inherit outputHash outputHashAlgo;
      outputHashMode = "flat";
      preferLocalBuild = true;

      nativeBuildInputs = with pkgs; [
        openssh
        gnugrep
        coreutils
      ];
    }
    ''
      ssh-keyscan -p ${toString port} -t ${keyTypeArgs} ${host} | grep -v '^#' | sort > $out
    ''
)