openssh known hosts: ignore hosts without aliases

2022-07-15 10:27:30 +02:00 · 2022-07-15 10:27:30 +02:00 · faf453da0b
commit faf453da0b
parent 9b37b535f4
1 changed files with 47 additions and 34 deletions
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@ -138,41 +138,54 @@ let
        let inherit (config.krebs.build.host.ssh) privkey; in
        mkIf (privkey != null) [privkey];

-      # TODO use imports for merging
      services.openssh.knownHosts =
-        (let inherit (config.krebs.build.host.ssh) pubkey; in
-          optionalAttrs (pubkey != null) {
-            localhost = {
-              hostNames = ["localhost" "127.0.0.1" "::1"];
-              publicKey = pubkey;
-            };
-          })
-        //
-        mapAttrs
-          (name: host: {
-            hostNames =
-              concatLists
-                (mapAttrsToList
-                  (net-name: net:
-                    let
-                      longs = net.aliases;
-                      shorts =
-                        optionals
-                          (cfg.dns.search-domain != null)
-                          (map (removeSuffix ".${cfg.dns.search-domain}")
-                               (filter (hasSuffix ".${cfg.dns.search-domain}")
-                                       longs));
-                      add-port = a:
-                        if net.ssh.port != 22
-                          then "[${a}]:${toString net.ssh.port}"
-                          else a;
-                    in
-                    map add-port (shorts ++ longs ++ net.addrs))
-                  host.nets);
-
-            publicKey = host.ssh.pubkey;
-          })
-          (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
+        filterAttrs
+          (knownHostName: knownHost:
+            knownHost.publicKey != null &&
+            knownHost.hostNames != []
+          )
+          (mapAttrs
+            (hostName: host: {
+              hostNames =
+                concatLists
+                  (mapAttrsToList
+                    (netName: net:
+                      let
+                        aliases =
+                          concatLists [
+                            shortAliases
+                            net.aliases
+                            net.addrs
+                          ];
+                        shortAliases =
+                          optionals
+                            (cfg.dns.search-domain != null)
+                            (map (removeSuffix ".${cfg.dns.search-domain}")
+                                 (filter (hasSuffix ".${cfg.dns.search-domain}")
+                                         net.aliases));
+                        addPort = alias:
+                          if net.ssh.port != 22
+                            then "[${alias}]:${toString net.ssh.port}"
+                            else alias;
+                      in
+                      map addPort aliases
+                    )
+                    host.nets);
+              publicKey = host.ssh.pubkey;
+            })
+            (foldl' mergeAttrs {} [
+              cfg.hosts
+              {
+                localhost = {
+                  nets.local = {
+                    addrs = [ "127.0.0.1" "::1" ];
+                    aliases = [ "localhost" ];
+                    ssh.port = 22;
+                  };
+                  ssh.pubkey = config.krebs.build.host.ssh.pubkey;
+                };
+              }
+            ]));

      programs.ssh.extraConfig = concatMapStrings
        (net: ''