modules/ssh/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

{ pkgs, ... }:

{
  programs.ssh.extraConfig = ''
    Host uhura spock
      HostName %h.edef.eu

    Host hyperion
      HostName %h.kookie.space

    Host atuin
      HostName %h.qyliss.net

    Match host github.com
      User git
  '';

  programs.ssh.knownHosts = [
    {
      hostNames = [ "@cert-authority edef.eu,*.edef.eu" ];
      publicKeyFile = with pkgs; runCommand "edef.eu" {
        nativeBuildInputs = [ curl gnupg ];
        outputHashAlgo = "sha256";
        outputHashMode = "recursive";
        outputHash = "1n3136v4yl5w5g2dg874v3sk8a6a3346hrhk8an6kmm2zc6z2j1v";
      } ''
        set -ueo pipefail
        export GNUPGHOME="$PWD/gnupg"
        mkdir -m 0700 "$GNUPGHOME"
        curl -fL --cacert ${cacert}/etc/ssl/certs/ca-bundle.crt \
            https://edef.eu/edef.asc | gpg --import
        gpg --output $out --export-ssh-key '87FC9CBBD39FB2B36EE3D86994D3730D803010E7!'
      '';
    }
  ];
}