openssh known hosts: ignore hosts without aliases

krebs/3modules/default.nix

@@ -138,41 +138,54 @@ let
         let inherit (config.krebs.build.host.ssh) privkey; in
         mkIf (privkey != null) [privkey];
 
-      # TODO use imports for merging
       services.openssh.knownHosts =
-        (let inherit (config.krebs.build.host.ssh) pubkey; in
+        filterAttrs
-          optionalAttrs (pubkey != null) {
+          (knownHostName: knownHost:
-            localhost = {
+            knownHost.publicKey != null &&
-              hostNames = ["localhost" "127.0.0.1" "::1"];
+            knownHost.hostNames != []
-              publicKey = pubkey;
+          )
-            };
+          (mapAttrs
-          })
+            (hostName: host: {
-        //
+              hostNames =
-        mapAttrs
+                concatLists
-          (name: host: {
+                  (mapAttrsToList
-            hostNames =
+                    (netName: net:
-              concatLists
+                      let
-                (mapAttrsToList
+                        aliases =
-                  (net-name: net:
+                          concatLists [
-                    let
+                            shortAliases
-                      longs = net.aliases;
+                            net.aliases
-                      shorts =
+                            net.addrs
-                        optionals
+                          ];
-                          (cfg.dns.search-domain != null)
+                        shortAliases =
-                          (map (removeSuffix ".${cfg.dns.search-domain}")
+                          optionals
-                               (filter (hasSuffix ".${cfg.dns.search-domain}")
+                            (cfg.dns.search-domain != null)
-                                       longs));
+                            (map (removeSuffix ".${cfg.dns.search-domain}")
-                      add-port = a:
+                                 (filter (hasSuffix ".${cfg.dns.search-domain}")
-                        if net.ssh.port != 22
+                                         net.aliases));
-                          then "[${a}]:${toString net.ssh.port}"
+                        addPort = alias:
-                          else a;
+                          if net.ssh.port != 22
-                    in
+                            then "[${alias}]:${toString net.ssh.port}"
-                    map add-port (shorts ++ longs ++ net.addrs))
+                            else alias;
-                  host.nets);
+                      in
-
+                      map addPort aliases
-            publicKey = host.ssh.pubkey;
+                    )
-          })
+                    host.nets);
-          (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
+              publicKey = host.ssh.pubkey;
+            })
+            (foldl' mergeAttrs {} [
+              cfg.hosts
+              {
+                localhost = {
+                  nets.local = {
+                    addrs = [ "127.0.0.1" "::1" ];
+                    aliases = [ "localhost" ];
+                    ssh.port = 22;
+                  };
+                  ssh.pubkey = config.krebs.build.host.ssh.pubkey;
+                };
+              }
+            ]));
 
       programs.ssh.extraConfig = concatMapStrings
         (net: ''