Add declarative ssh known hosts

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-25 12:28:22 +00:00
parent f843deafbe
commit a3dc4129d6
22 changed files with 258 additions and 79 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -115,11 +115,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1740348184,
+        "lastModified": 1740485474,
-        "narHash": "sha256-NnMzG2GYQJRrFTjvZBkaIE41EBekaMfIWiiEvxhvUTU=",
+        "narHash": "sha256-g3f5UTD/VEZoSrvwXy1aW/3470Gz/M6vkucM+5f0ZkU=",
        "owner": "karaolidis",
        "repo": "home-manager",
-        "rev": "6db31ab82b2b0d6bad4691a238073401120f673c",
+        "rev": "c4ace2196b7df8f582e624b2b54ec5a7ab353549",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -168,7 +168,9 @@
      in
      {
        devShells = import ./hosts/common/shells { inherit pkgs; };
-        packages = import ./packages { inherit pkgs; };
+        lib = import ./lib { inherit pkgs; };
        packages = import ./packages { inherit pkgs inputs system; };
        formatter = treefmt.config.build.wrapper;
        checks.formatting = treefmt.config.build.check self;
      }
--- a/hosts/common/configs/user/console/ssh/default.nix
+++ b/hosts/common/configs/user/console/ssh/default.nix
@@ -4,14 +4,5 @@
 }:
 { ... }:
 {
-  environment.persistence."/persist"."${home}/.ssh/known_hosts" = { };
+  home-manager.users.${user}.programs.ssh.enable = true;
  home-manager.users.${user} = {
    programs.ssh = {
      enable = true;
      userKnownHostsFile = "${home}/.ssh/known_hosts/default";
    };
    systemd.user.tmpfiles.rules = [ "d ${home}/.ssh/known_hosts 0755 ${user} users" ];
  };
 }
--- a/hosts/common/configs/user/gui/spicetify/default.nix
+++ b/hosts/common/configs/user/gui/spicetify/default.nix
@@ -10,6 +10,7 @@
  ...
 }:
 let
  selfLib = inputs.self.lib.${system};
  hmConfig = config.home-manager.users.${user};
 in
 {
@@ -64,7 +65,7 @@ in
      "spotify/prefs.init" = {
        source = ./config/prefs;
        onChange = ''
-          ${config.lib.runtime.merge.keyValue} "${home}/.config/spotify/prefs.init" "${home}/.config/spotify/prefs"
+          ${selfLib.runtime.merge.keyValue} "${home}/.config/spotify/prefs.init" "${home}/.config/spotify/prefs"
        '';
      };
@@ -72,7 +73,7 @@ in
        source = ./config/prefs-user;
        onChange = ''
          user = $(cat "${hmConfig.sops.secrets."spotify/username".path}")
-          ${config.lib.runtime.merge.keyValue} "${home}/.config/spotify/prefs-user.init" "${home}/.config/spotify/Users/''${user}-user/prefs"
+          ${selfLib.runtime.merge.keyValue} "${home}/.config/spotify/prefs-user.init" "${home}/.config/spotify/Users/''${user}-user/prefs"
        '';
      };
    };
--- a/hosts/eirene/default.nix
+++ b/hosts/eirene/default.nix
@@ -1,8 +1,6 @@
 { inputs, ... }:
 {
  imports = [
    ../../lib
    inputs.disko.nixosModules.disko
    ./format.nix
--- a/hosts/eirene/users/nick/configs/console/git/default.nix
+++ b/hosts/eirene/users/nick/configs/console/git/default.nix
@@ -2,7 +2,15 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
-{ ... }:
+{
  inputs,
  lib,
  system,
  ...
 }:
 let
  selfPkgs = inputs.self.packages.${system};
 in
 {
  home-manager.users.${user} = {
    sops.secrets = {
@@ -17,12 +25,16 @@
      };
    };
-    programs.ssh.matchBlocks = {
+    programs.ssh = {
      matchBlocks = {
        "github.com" = {
          hostname = "github.com";
          user = "git";
          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
        };
      };
      userKnownHostsFiles = with selfPkgs; [ ssh-known-hosts-github ];
    };
  };
 }
--- a/hosts/elara/configs/git/default.nix
+++ b/hosts/elara/configs/git/default.nix
@@ -1,4 +1,7 @@
-{ ... }:
+{ inputs, system, ... }:
 let
  selfPkgs = inputs.self.packages.${system};
 in
 {
  sops.secrets."ssh/sas/key" = {
    sopsFile = ../../../../secrets/sas/secrets.yaml;
@@ -6,7 +9,8 @@
    path = "/root/.ssh/ssh_sas_ed25519_key";
  };
-  programs.ssh.extraConfig = ''
+  programs.ssh = {
    extraConfig = ''
      Host github.com
        User git
        HostName github.com
@@ -17,4 +21,10 @@
        HostName gitlab.sas.com
        IdentityFile /root/.ssh/ssh_sas_ed25519_key
    '';
    knownHostsFiles = with selfPkgs; [
      ssh-known-hosts-github
      ssh-known-hosts-sas-gitlab
    ];
  };
 }
--- a/hosts/elara/default.nix
+++ b/hosts/elara/default.nix
@@ -1,8 +1,6 @@
 { config, inputs, ... }:
 {
  imports = [
    ../../lib
    inputs.disko.nixosModules.disko
    ./format.nix
--- a/hosts/elara/users/nikara/configs/console/git/default.nix
+++ b/hosts/elara/users/nikara/configs/console/git/default.nix
@@ -2,7 +2,16 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
-{ lib, pkgs, ... }:
+{
  inputs,
  lib,
  system,
  pkgs,
  ...
 }:
 let
  selfPkgs = inputs.self.packages.${system};
 in
 {
  home-manager.users.${user} = {
    sops.secrets = {
@@ -26,7 +35,8 @@
        }
      );
-      ssh.matchBlocks = {
+      ssh = {
        matchBlocks = {
          "github.com" = {
            hostname = "github.com";
            user = "git";
@@ -49,6 +59,13 @@
            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
          };
        };
        userKnownHostsFiles = with selfPkgs; [
          ssh-known-hosts-github
          ssh-known-hosts-sas-gitlab
          ssh-known-hosts-sas-gerrit
        ];
      };
    };
  };
 }
--- a/hosts/elara/users/nikara/configs/console/ssh/default.nix
+++ b/hosts/elara/users/nikara/configs/console/ssh/default.nix
@@ -2,13 +2,20 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
-{ ... }:
+{ inputs, system, ... }:
 let
  selfPkgs = inputs.self.packages.${system};
 in
 {
-  home-manager.users.${user}.programs.ssh.matchBlocks = {
+  home-manager.users.${user}.programs.ssh = {
    matchBlocks = {
      "cldlgn.fyi.sas.com" = {
        inherit user;
        hostname = "cldlgn.fyi.sas.com";
        identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
      };
    };
    userKnownHostsFiles = with selfPkgs; [ ssh-known-hosts-sas-cldlgn ];
  };
 }
--- a/hosts/installer/default.nix
+++ b/hosts/installer/default.nix
@@ -1,8 +1,6 @@
 { config, inputs, ... }:
 {
  imports = [
    ../../lib
    inputs.disko.nixosModules.disko
    ./format.nix
--- a/hosts/installer/users/nick/configs/console/git/default.nix
+++ b/hosts/installer/users/nick/configs/console/git/default.nix
@@ -2,7 +2,15 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
-{ ... }:
+{
  inputs,
  lib,
  system,
  ...
 }:
 let
  selfPkgs = inputs.self.packages.${system};
 in
 {
  home-manager.users.${user} = {
    sops.secrets = {
@@ -17,12 +25,16 @@
      };
    };
-    programs.ssh.matchBlocks = {
+    programs.ssh = {
      matchBlocks = {
        "github.com" = {
          hostname = "github.com";
          user = "git";
          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
        };
      };
      userKnownHostsFiles = with selfPkgs; [ ssh-known-hosts-github ];
    };
  };
 }
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -1,6 +1,5 @@
 { pkgs, ... }:
 {
-  lib = {
+  fetchers = import ./fetchers { inherit pkgs; };
  runtime = import ./runtime { inherit pkgs; };
  };
 }
--- a/lib/fetchers/default.nix
+++ b/lib/fetchers/default.nix
@@ -0,0 +1,4 @@
 { pkgs, ... }:
 {
  sshKnownHosts = import ./sshKnownHosts { inherit pkgs; };
 }
--- a/lib/fetchers/sshKnownHosts/default.nix
+++ b/lib/fetchers/sshKnownHosts/default.nix
@@ -0,0 +1,33 @@
 { pkgs, ... }:
 pkgs.lib.fetchers.withNormalizedHash { } (
  {
    host,
    name ? "ssh-known-hosts-${host}",
    outputHash,
    outputHashAlgo,
    port ? 22,
    keyTypes ? [
      "rsa"
      "ecdsa"
      "ed25519"
    ],
  }:
  let
    keyTypeArgs = pkgs.lib.concatStringsSep "," keyTypes;
  in
  pkgs.runCommand name
    {
      inherit outputHash outputHashAlgo;
      outputHashMode = "flat";
      preferLocalBuild = true;
      nativeBuildInputs = with pkgs; [
        openssh
        gnugrep
        coreutils
      ];
    }
    ''
      ssh-keyscan -p ${toString port} -t ${keyTypeArgs} ${host} | grep -v '^#' | sort > $out
    ''
 )
--- a/lib/scripts/add-host.sh
+++ b/lib/scripts/add-host.sh
@@ -148,8 +148,6 @@ cat <<EOF > "./hosts/$host/default.nix"
 { inputs, ... }:
 {
  imports = [
    ../../lib
    inputs.disko.nixosModules.disko
    ./format.nix
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, ... }:
+{
  pkgs,
  inputs,
  system,
  ...
 }:
 {
  darktable-ghost-cms-publish = import ./darktable/ghost-cms-publish { inherit pkgs; };
  darktable-hald-clut = import ./darktable/hald-clut { inherit pkgs; };
@@ -22,7 +27,13 @@
  obsidian-theme-minimal = import ./obsidian/themes/minimal { inherit pkgs; };
  ssh-known-hosts-github = import ./ssh/known-hosts/github { inherit pkgs inputs system; };
  # SAS
  ssh-known-hosts-sas-cldlgn = import ./ssh/known-hosts/sas/cldlgn { inherit pkgs inputs system; };
  ssh-known-hosts-sas-gerrit = import ./ssh/known-hosts/sas/gerrit { inherit pkgs inputs system; };
  ssh-known-hosts-sas-gitlab = import ./ssh/known-hosts/sas/gitlab { inherit pkgs inputs system; };
  viya4-ark = import ./sas/viya4-ark { inherit pkgs; };
  viya4-orders-cli = import ./sas/viya4-orders-cli { inherit pkgs; };
--- a/packages/ssh/known-hosts/github/default.nix
+++ b/packages/ssh/known-hosts/github/default.nix
@@ -0,0 +1,22 @@
 {
  pkgs,
  inputs,
  system,
  ...
 }:
 # AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
 pkgs.stdenv.mkDerivation rec {
  pname = "ssh-known-hosts-github";
  version = "0-unstable-2025-02-25";
  src = inputs.self.lib.${system}.fetchers.sshKnownHosts {
    host = "github.com";
    hash = "sha256-wkNdynz7rhZvfXSAXDpQ2sk40afKAPeYHQ8Ei44CICI=";
  };
  phases = [ "installPhase" ];
  installPhase = ''
    cp $src $out
  '';
 }
--- a/packages/ssh/known-hosts/sas/cldlgn/default.nix
+++ b/packages/ssh/known-hosts/sas/cldlgn/default.nix
@@ -0,0 +1,22 @@
 {
  pkgs,
  inputs,
  system,
  ...
 }:
 # AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
 pkgs.stdenv.mkDerivation rec {
  pname = "ssh-known-hosts-sas-cldlgn";
  version = "0-unstable-2025-02-25";
  src = inputs.self.lib.${system}.fetchers.sshKnownHosts {
    host = "cldlgn.fyi.sas.com";
    hash = "sha256-HymFic00RROW1tC4sQe5QdDM7D8IDeTdKe8rWU6xhZM=";
  };
  phases = [ "installPhase" ];
  installPhase = ''
    cp $src $out
  '';
 }
--- a/packages/ssh/known-hosts/sas/gerrit/default.nix
+++ b/packages/ssh/known-hosts/sas/gerrit/default.nix
@@ -0,0 +1,22 @@
 {
  pkgs,
  inputs,
  system,
  ...
 }:
 # AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
 pkgs.stdenv.mkDerivation rec {
  pname = "ssh-known-hosts-sas-gerrit";
  version = "0-unstable-2025-02-25";
  src = inputs.self.lib.${system}.fetchers.sshKnownHosts {
    host = "gerrit-svi.unx.sas.com";
    hash = "sha256-+lvC19RyBWFhEwEdXIb/xwEyGuKnatkgOsmhAc583kA=";
  };
  phases = [ "installPhase" ];
  installPhase = ''
    cp $src $out
  '';
 }
--- a/packages/ssh/known-hosts/sas/gitlab/default.nix
+++ b/packages/ssh/known-hosts/sas/gitlab/default.nix
@@ -0,0 +1,22 @@
 {
  pkgs,
  inputs,
  system,
  ...
 }:
 # AUTO-UPDATE: echo "Warning: Package using custom fetcher cannot be automatically updated." >&2
 pkgs.stdenv.mkDerivation rec {
  pname = "ssh-known-hosts-sas-gitlab";
  version = "0-unstable-2025-02-25";
  src = inputs.self.lib.${system}.fetchers.sshKnownHosts {
    host = "gitlab.sas.com";
    hash = "sha256-gJGM6bG+u+XS2UdyYtK7MXP2r8w3tX/1kJmsDpyFKWI=";
  };
  phases = [ "installPhase" ];
  installPhase = ''
    cp $src $out
  '';
 }
--- a/submodules/home-manager
+++ b/submodules/home-manager