known_hosts: GitHub is 192.30.252.0/22

krebs/3modules/default.nix

@@ -137,13 +137,22 @@ let
         mkIf (privkey != null) (mkForce [privkey]);
 
       services.openssh.knownHosts =
-        {
+        # GitHub's IPv4 address range is 192.30.252.0/22
-          github = {
+        # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
+        # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
+        # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
+        # we split each /24 into its own entry.
+        listToAttrs (map
+          (c: {
+            name = "github${toString c}";
+            value = {
               hostNames = ["github.com"] ++
-              map (i: "192.30.252.${toString i}") (range 0 255);
+                map (d: "192.30.${toString c}.${toString d}") (range 0 255);
               publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
             };
-        } //
+          })
+          (range 252 255))
+        //
         mapAttrs
           (name: host: {
             hostNames =