openssh known hosts: ignore hosts without aliases

This commit is contained in:
tv 2022-07-15 10:27:30 +02:00
parent 9b37b535f4
commit faf453da0b

View File

@ -138,41 +138,54 @@ let
let inherit (config.krebs.build.host.ssh) privkey; in let inherit (config.krebs.build.host.ssh) privkey; in
mkIf (privkey != null) [privkey]; mkIf (privkey != null) [privkey];
# TODO use imports for merging
services.openssh.knownHosts = services.openssh.knownHosts =
(let inherit (config.krebs.build.host.ssh) pubkey; in filterAttrs
optionalAttrs (pubkey != null) { (knownHostName: knownHost:
localhost = { knownHost.publicKey != null &&
hostNames = ["localhost" "127.0.0.1" "::1"]; knownHost.hostNames != []
publicKey = pubkey; )
}; (mapAttrs
}) (hostName: host: {
//
mapAttrs
(name: host: {
hostNames = hostNames =
concatLists concatLists
(mapAttrsToList (mapAttrsToList
(net-name: net: (netName: net:
let let
longs = net.aliases; aliases =
shorts = concatLists [
shortAliases
net.aliases
net.addrs
];
shortAliases =
optionals optionals
(cfg.dns.search-domain != null) (cfg.dns.search-domain != null)
(map (removeSuffix ".${cfg.dns.search-domain}") (map (removeSuffix ".${cfg.dns.search-domain}")
(filter (hasSuffix ".${cfg.dns.search-domain}") (filter (hasSuffix ".${cfg.dns.search-domain}")
longs)); net.aliases));
add-port = a: addPort = alias:
if net.ssh.port != 22 if net.ssh.port != 22
then "[${a}]:${toString net.ssh.port}" then "[${alias}]:${toString net.ssh.port}"
else a; else alias;
in in
map add-port (shorts ++ longs ++ net.addrs)) map addPort aliases
)
host.nets); host.nets);
publicKey = host.ssh.pubkey; publicKey = host.ssh.pubkey;
}) })
(filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts); (foldl' mergeAttrs {} [
cfg.hosts
{
localhost = {
nets.local = {
addrs = [ "127.0.0.1" "::1" ];
aliases = [ "localhost" ];
ssh.port = 22;
};
ssh.pubkey = config.krebs.build.host.ssh.pubkey;
};
}
]));
programs.ssh.extraConfig = concatMapStrings programs.ssh.extraConfig = concatMapStrings
(net: '' (net: ''