karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add declarative ssh known hosts

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-02-25 12:28:22 +00:00
parent f843deafbe
commit a3dc4129d6
22 changed files with 258 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
flake.lock generated
View File

@@ -115,11 +115,11 @@
]
},
"locked": {
"lastModified": 1740348184,
"narHash": "sha256-NnMzG2GYQJRrFTjvZBkaIE41EBekaMfIWiiEvxhvUTU=",
"lastModified": 1740485474,
"narHash": "sha256-g3f5UTD/VEZoSrvwXy1aW/3470Gz/M6vkucM+5f0ZkU=",
"owner": "karaolidis",
"repo": "home-manager",
"rev": "6db31ab82b2b0d6bad4691a238073401120f673c",
"rev": "c4ace2196b7df8f582e624b2b54ec5a7ab353549",
"type": "github"
},
"original": {

4
flake.nix
View File

@@ -168,7 +168,9 @@
in
{
devShells = import ./hosts/common/shells { inherit pkgs; };
packages = import ./packages { inherit pkgs; };
lib = import ./lib { inherit pkgs; };
packages = import ./packages { inherit pkgs inputs system; };
formatter = treefmt.config.build.wrapper;
checks.formatting = treefmt.config.build.check self;
}

11
hosts/common/configs/user/console/ssh/default.nix
View File

@@ -4,14 +4,5 @@
}:
{ ... }:
{
environment.persistence."/persist"."${home}/.ssh/known_hosts" = { };
home-manager.users.${user} = {
programs.ssh = {
enable = true;
userKnownHostsFile = "${home}/.ssh/known_hosts/default";
};
systemd.user.tmpfiles.rules = [ "d ${home}/.ssh/known_hosts 0755 ${user} users" ];
};
home-manager.users.${user}.programs.ssh.enable = true;
}

5
hosts/common/configs/user/gui/spicetify/default.nix
View File

@@ -10,6 +10,7 @@
...
}:
let
selfLib = inputs.self.lib.${system};
hmConfig = config.home-manager.users.${user};
in
{
@@ -64,7 +65,7 @@ in
"spotify/prefs.init" = {
source = ./config/prefs;
onChange = ''
${config.lib.runtime.merge.keyValue} "${home}/.config/spotify/prefs.init" "${home}/.config/spotify/prefs"
${selfLib.runtime.merge.keyValue} "${home}/.config/spotify/prefs.init" "${home}/.config/spotify/prefs"
'';
};
@@ -72,7 +73,7 @@ in
source = ./config/prefs-user;
onChange = ''
user = $(cat "${hmConfig.sops.secrets."spotify/username".path}")
${config.lib.runtime.merge.keyValue} "${home}/.config/spotify/prefs-user.init" "${home}/.config/spotify/Users/''${user}-user/prefs"
${selfLib.runtime.merge.keyValue} "${home}/.config/spotify/prefs-user.init" "${home}/.config/spotify/Users/''${user}-user/prefs"
'';
};
};

2
hosts/eirene/default.nix
View File

@@ -1,8 +1,6 @@
{ inputs, ... }:
{
imports = [
../../lib
inputs.disko.nixosModules.disko
./format.nix

24
hosts/eirene/users/nick/configs/console/git/default.nix
View File

@@ -2,7 +2,15 @@
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ ... }:
{
inputs,
lib,
system,
...
}:
let
selfPkgs = inputs.self.packages.${system};
in
{
home-manager.users.${user} = {
sops.secrets = {
@@ -17,12 +25,16 @@
};
};
programs.ssh.matchBlocks = {
"github.com" = {
hostname = "github.com";
user = "git";
identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
programs.ssh = {
matchBlocks = {
"github.com" = {
hostname = "github.com";
user = "git";
identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
};
};
userKnownHostsFiles = with selfPkgs; [ ssh-known-hosts-github ];
};
};
}

32
hosts/elara/configs/git/default.nix
View File

@@ -1,4 +1,7 @@
{ ... }:
{ inputs, system, ... }:
let
selfPkgs = inputs.self.packages.${system};
in
{
sops.secrets."ssh/sas/key" = {
sopsFile = ../../../../secrets/sas/secrets.yaml;
@@ -6,15 +9,22 @@
path = "/root/.ssh/ssh_sas_ed25519_key";
};
programs.ssh.extraConfig = ''
Host github.com
User git
HostName github.com
IdentityFile /root/.ssh/ssh_sas_ed25519_key
programs.ssh = {
extraConfig = ''
Host github.com
User git
HostName github.com
IdentityFile /root/.ssh/ssh_sas_ed25519_key
Host gitlab.sas.com
User git
HostName gitlab.sas.com
IdentityFile /root/.ssh/ssh_sas_ed25519_key
'';
Host gitlab.sas.com
User git
HostName gitlab.sas.com
IdentityFile /root/.ssh/ssh_sas_ed25519_key
'';
knownHostsFiles = with selfPkgs; [
ssh-known-hosts-github
ssh-known-hosts-sas-gitlab
];
};
}

2
hosts/elara/default.nix
View File

@@ -1,8 +1,6 @@
{ config, inputs, ... }:
{
imports = [
../../lib
inputs.disko.nixosModules.disko
./format.nix

59
hosts/elara/users/nikara/configs/console/git/default.nix
View File

@@ -2,7 +2,16 @@
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ lib, pkgs, ... }:
{
inputs,
lib,
system,
pkgs,
...
}:
let
selfPkgs = inputs.self.packages.${system};
in
{
home-manager.users.${user} = {
sops.secrets = {
@@ -26,28 +35,36 @@
}
);
ssh.matchBlocks = {
"github.com" = {
hostname = "github.com";
user = "git";
identityFile = [
"${home}/.ssh/ssh_sas_ed25519_key"
"${home}/.ssh/ssh_personal_ed25519_key"
];
ssh = {
matchBlocks = {
"github.com" = {
hostname = "github.com";
user = "git";
identityFile = [
"${home}/.ssh/ssh_sas_ed25519_key"
"${home}/.ssh/ssh_personal_ed25519_key"
];
};
"gitlab.sas.com" = {
hostname = "gitlab.sas.com";
user = "git";
identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
};
"gerrit-svi.unx.sas.com" = {
hostname = "gerrit-svi.unx.sas.com";
user = "nikara";
port = 29418;
identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
};
};
"gitlab.sas.com" = {
hostname = "gitlab.sas.com";
user = "git";
identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
};
"gerrit-svi.unx.sas.com" = {
hostname = "gerrit-svi.unx.sas.com";
user = "nikara";
port = 29418;
identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
};
userKnownHostsFiles = with selfPkgs; [
ssh-known-hosts-github
ssh-known-hosts-sas-gitlab
ssh-known-hosts-sas-gerrit
];
};
};
};

19
hosts/elara/users/nikara/configs/console/ssh/default.nix
View File

@@ -2,13 +2,20 @@
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ ... }:
{ inputs, system, ... }:
let
selfPkgs = inputs.self.packages.${system};
in
{
home-manager.users.${user}.programs.ssh.matchBlocks = {
"cldlgn.fyi.sas.com" = {
inherit user;
hostname = "cldlgn.fyi.sas.com";
identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
home-manager.users.${user}.programs.ssh = {
matchBlocks = {
"cldlgn.fyi.sas.com" = {
inherit user;
hostname = "cldlgn.fyi.sas.com";
identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
};
};
userKnownHostsFiles = with selfPkgs; [ ssh-known-hosts-sas-cldlgn ];
};
}

2
hosts/installer/default.nix
View File

@@ -1,8 +1,6 @@
{ config, inputs, ... }:
{
imports = [
../../lib
inputs.disko.nixosModules.disko
./format.nix

24
hosts/installer/users/nick/configs/console/git/default.nix
View File

@@ -2,7 +2,15 @@
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ ... }:
{
inputs,
lib,
system,
...
}:
let
selfPkgs = inputs.self.packages.${system};
in
{
home-manager.users.${user} = {
sops.secrets = {
@@ -17,12 +25,16 @@
};
};
programs.ssh.matchBlocks = {
"github.com" = {
hostname = "github.com";
user = "git";
identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
programs.ssh = {
matchBlocks = {
"github.com" = {
hostname = "github.com";
user = "git";
identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
};
};
userKnownHostsFiles = with selfPkgs; [ ssh-known-hosts-github ];
};
};
}

5
lib/default.nix
View File

@@ -1,6 +1,5 @@
{ pkgs, ... }:
{
lib = {
runtime = import ./runtime { inherit pkgs; };
};
fetchers = import ./fetchers { inherit pkgs; };
runtime = import ./runtime { inherit pkgs; };
}

4
lib/fetchers/default.nix Normal file
View File

@@ -0,0 +1,4 @@
{ pkgs, ... }:
{
sshKnownHosts = import ./sshKnownHosts { inherit pkgs; };
}

33
lib/fetchers/sshKnownHosts/default.nix Normal file
View File

@@ -0,0 +1,33 @@
{ pkgs, ... }:
pkgs.lib.fetchers.withNormalizedHash { } (
{
host,
name ? "ssh-known-hosts-${host}",
outputHash,
outputHashAlgo,
port ? 22,
keyTypes ? [
"rsa"
"ecdsa"
"ed25519"
],
}:
let
keyTypeArgs = pkgs.lib.concatStringsSep "," keyTypes;
in
pkgs.runCommand name
{
inherit outputHash outputHashAlgo;
outputHashMode = "flat";
preferLocalBuild = true;
nativeBuildInputs = with pkgs; [
openssh
gnugrep
coreutils
];
}
''
ssh-keyscan -p ${toString port} -t ${keyTypeArgs} ${host} | grep -v '^#' | sort > $out
''
)

2
lib/scripts/add-host.sh
View File

@@ -148,8 +148,6 @@ cat <<EOF > "./hosts/$host/default.nix"
{ inputs, ... }:
{
imports = [
../../lib
inputs.disko.nixosModules.disko
./format.nix

13
packages/default.nix
View File

@@ -1,4 +1,9 @@
{ pkgs, ... }:
{
pkgs,
inputs,
system,
...
}:
{
darktable-ghost-cms-publish = import ./darktable/ghost-cms-publish { inherit pkgs; };
darktable-hald-clut = import ./darktable/hald-clut { inherit pkgs; };
@@ -22,7 +27,13 @@
obsidian-theme-minimal = import ./obsidian/themes/minimal { inherit pkgs; };
ssh-known-hosts-github = import ./ssh/known-hosts/github { inherit pkgs inputs system; };
# SAS
ssh-known-hosts-sas-cldlgn = import ./ssh/known-hosts/sas/cldlgn { inherit pkgs inputs system; };
ssh-known-hosts-sas-gerrit = import ./ssh/known-hosts/sas/gerrit { inherit pkgs inputs system; };
ssh-known-hosts-sas-gitlab = import ./ssh/known-hosts/sas/gitlab { inherit pkgs inputs system; };
viya4-ark = import ./sas/viya4-ark { inherit pkgs; };
viya4-orders-cli = import ./sas/viya4-orders-cli { inherit pkgs; };

22
packages/ssh/known-hosts/github/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{
pkgs,
inputs,
system,
...
}:
# AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
pkgs.stdenv.mkDerivation rec {
pname = "ssh-known-hosts-github";
version = "0-unstable-2025-02-25";
src = inputs.self.lib.${system}.fetchers.sshKnownHosts {
host = "github.com";
hash = "sha256-wkNdynz7rhZvfXSAXDpQ2sk40afKAPeYHQ8Ei44CICI=";
};
phases = [ "installPhase" ];
installPhase = ''
cp $src $out
'';
}

22
packages/ssh/known-hosts/sas/cldlgn/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{
pkgs,
inputs,
system,
...
}:
# AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
pkgs.stdenv.mkDerivation rec {
pname = "ssh-known-hosts-sas-cldlgn";
version = "0-unstable-2025-02-25";
src = inputs.self.lib.${system}.fetchers.sshKnownHosts {
host = "cldlgn.fyi.sas.com";
hash = "sha256-HymFic00RROW1tC4sQe5QdDM7D8IDeTdKe8rWU6xhZM=";
};
phases = [ "installPhase" ];
installPhase = ''
cp $src $out
'';
}

22
packages/ssh/known-hosts/sas/gerrit/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{
pkgs,
inputs,
system,
...
}:
# AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
pkgs.stdenv.mkDerivation rec {
pname = "ssh-known-hosts-sas-gerrit";
version = "0-unstable-2025-02-25";
src = inputs.self.lib.${system}.fetchers.sshKnownHosts {
host = "gerrit-svi.unx.sas.com";
hash = "sha256-+lvC19RyBWFhEwEdXIb/xwEyGuKnatkgOsmhAc583kA=";
};
phases = [ "installPhase" ];
installPhase = ''
cp $src $out
'';
}

22
packages/ssh/known-hosts/sas/gitlab/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{
pkgs,
inputs,
system,
...
}:
# AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
pkgs.stdenv.mkDerivation rec {
pname = "ssh-known-hosts-sas-gitlab";
version = "0-unstable-2025-02-25";
src = inputs.self.lib.${system}.fetchers.sshKnownHosts {
host = "gitlab.sas.com";
hash = "sha256-gJGM6bG+u+XS2UdyYtK7MXP2r8w3tX/1kJmsDpyFKWI=";
};
phases = [ "installPhase" ];
installPhase = ''
cp $src $out
'';
}

2
submodules/home-manager

Submodule submodules/home-manager updated: 6db31ab82b...c4ace2196b