Skip to content

Commit 5c7f993

Browse files
authored
ssh: dynamically generate known_hosts for all hosts (#362)
1 parent b353b98 commit 5c7f993

1 file changed

Lines changed: 34 additions & 0 deletions

File tree

modules/auth.nix

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,33 @@ let
99
cfg = config.ocf.auth;
1010
keytabSecretPath = ../secrets/master-keyed/keytabs + "/${config.networking.hostName}.age";
1111
hasKeytab = builtins.pathExists keytabSecretPath;
12+
13+
# sort for regular *.pub files
14+
hostKeyDir = ../secrets/host-keys;
15+
hostKeyFiles = lib.filterAttrs (
16+
filename: filetype: lib.hasSuffix ".pub" filename && filetype == "regular"
17+
) (builtins.readDir hostKeyDir);
18+
19+
# remove .pub suffix and set the value for each host to the attribute sets
20+
# that programs.ssh.knownHosts expects
21+
knownHosts = lib.concatMapAttrs (
22+
name: value:
23+
let
24+
host = lib.removeSuffix ".pub" name;
25+
in
26+
{
27+
${host} = {
28+
# TODO: add *.ocf.io and ip addresses, but i want to clean up those values
29+
# into a centrally accessible place like networking.domain first
30+
# add fqdn
31+
hostNames = [
32+
host
33+
"${host}.${config.networking.domain}"
34+
];
35+
publicKeyFile = "${hostKeyDir}/${name}";
36+
};
37+
}
38+
) hostKeyFiles;
1239
in
1340
{
1441
options.ocf.auth = {
@@ -145,6 +172,13 @@ in
145172
};
146173
};
147174

175+
# dynamically generate the known_hosts file with the public keys of all
176+
# nix hosts and directly put it on each host:
177+
# - this approach is really simple and avoids the need for managing a cert
178+
# authority.
179+
# - one drawback is that hosts need to be re-deployed to in order to
180+
# add/change a host public key.
181+
programs.ssh.knownHosts = knownHosts;
148182
services.openssh.settings = {
149183
GSSAPIAuthentication = "yes";
150184
GSSAPICleanupCredentials = "yes";

0 commit comments

Comments
 (0)