diff options
| -rw-r--r-- | tw/home/common.scm | 131 |
1 files changed, 61 insertions, 70 deletions
diff --git a/tw/home/common.scm b/tw/home/common.scm index 46cf8799..17b00666 100644 --- a/tw/home/common.scm +++ b/tw/home/common.scm @@ -1,11 +1,13 @@ (define-module (tw home common) + #:use-module (ice-9 string-fun) #:use-module (gnu) #:use-module (gnu home services) #:use-module (gnu home services shells) #:use-module (gnu home services shepherd) #:use-module (gnu home services ssh) #:use-module (guix gexp) - #:use-module (tw packages shell)) + #:use-module (tw packages shell) + #:use-module (tw system common)) (use-package-modules admin compression curl databases disk dns file finance gnupg graphviz imagemagick less linux lisp maths @@ -59,6 +61,12 @@ auto-expand-secmem (stop #~(lambda _ (invoke "gpg-connect-agent" "killagent" "/bye")))))))) +(define (wireguardify host) + (string-replace-substring host ".twilken.net" ".wg")) + +(define (make-own-ssh-host host port) + (openssh-host (name host) (port port) (user "timo"))) + (define-public common-services (list (service home-zsh-service-type @@ -161,73 +169,56 @@ auto-expand-secmem (service home-openssh-service-type (home-openssh-configuration (hosts - (let ((my-hosts/ports - '(("vin.twilken.net" . 22022) - ("vin.wg" . 22022) - ("pi3.twilken.net" . 51022) - ("pi3.wg" . 51022) - ("lud.twilken.net" . 22022) - ("lud.wg" . 22022) - ("matrix.twilken.net" . 22022))) - (git-hosts - '("github.com" "ssh.github.com" "bitbucket.org" "gitlab.cern.ch")) - (cern-ci-hosts/users - '(("alimonitor.cern.ch" . "alibuild") - ("alinsure.cern.ch" . "alibuild") - ("alibuildmac*.cern.ch" . "alibuild") - ("aido*osx*.cern.ch" . "alibuild") - ("alibuild*.cern.ch" . "root") - ("alissandra*.cern.ch" . "root") - ("alimesos*.cern.ch" . "root") - ("alientest*.cern.ch" . "root") - ("aliflow*.cern.ch" . "root") - ("alijenkins*.cern.ch" . "root")))) - - (define (cern-extra-content delegate-kerberos-credentials?) - (string-append "\ -# Kerberos authentication -GSSAPIAuthentication yes -GSSAPIDelegateCredentials " (if delegate-kerberos-credentials? "yes" "no") " -PreferredAuthentications gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive -ProxyJump \"twilken@lxplus.cern.ch\" + ;; Earlier rules take precedence over later ones. + `(,(openssh-host (name "*.srcf.net") (user "tw466")) + ;; My own machines + ,@(map make-own-ssh-host (map car %ssh-ports) (map cdr %ssh-ports)) + ,@(map make-own-ssh-host (map (compose wireguardify car) %ssh-ports) (map cdr %ssh-ports)) + ,(openssh-host (name "*.fritz.box") (proxy-command "ssh -v -W '[%h]:%p' lud.twilken.net")) + ;; Git hosts + ,@(map (lambda (host) (openssh-host (name host) (user "git"))) + '("github.com" "ssh.github.com" "bitbucket.org")) + ,(openssh-host (name "gitlab.cern.ch") (port 7999) (user "git") (proxy-command "none")) + ;; BitBucket apparently only supports ssh-rsa. + ,(openssh-host + (name "bitbucket.org") + (host-key-algorithms '("+ssh-rsa")) + (accepted-key-types '("+ssh-rsa"))) + ;; CERN stuff + ,(openssh-host (name "lxplus.cern.ch") (proxy-command "none")) ; avoid ProxyJump loops + ,(openssh-host + (name "twilkendesktop.cern.ch") + (port 22022) + (forward-x11? #t) + (extra-content "GSSAPIDelegateCredentials yes")) + ,@(map (lambda (spec) + (openssh-host (name (car spec)) (user (cdr spec)) + (identity-file "~/.local/share/ssh-keys/alicern_id_rsa"))) + '(("alimonitor.cern.ch" . "alibuild") + ("alinsure.cern.ch" . "alibuild") + ("alibuildmac*.cern.ch" . "alibuild") + ("aido*osx*.cern.ch" . "alibuild") + ("alibuild*.cern.ch" . "root") + ("alissandra*.cern.ch" . "root") + ("alimesos*.cern.ch" . "root") + ("alientest*.cern.ch" . "root") + ("aliflow*.cern.ch" . "root") + ("alijenkins*.cern.ch" . "root"))) + ,(openssh-host + (name "*.cern.ch") + (user "twilken") + (identity-file "~/.local/share/ssh-keys/cern_id_rsa") + (proxy-command "ssh -v -W '[%h]:%p' -l twilken lxplus.cern.ch") + (extra-content "\ + # Kerberos authentication + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no + PreferredAuthentications gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive ")) - - ;; Earlier rules take precedence over later ones. - `(,(openssh-host (name "*.srcf.net") (user "tw466")) - ,(openssh-host (name "*.fritz.box") - (extra-content "ProxyJump lud.twilken.net")) - ,@(map (lambda (host port) - (openssh-host (name host) (port port) (user "timo"))) - (map car my-hosts/ports) - (map cdr my-hosts/ports)) - ,@(map (lambda (host) (openssh-host (name host) (user "git"))) git-hosts) - ;; BitBucket apparently only supports ssh-rsa. - ,(openssh-host (name "bitbucket.org") - (host-key-algorithms '("+ssh-rsa")) - (accepted-key-types '("+ssh-rsa"))) - ,(openssh-host (name "gitlab.cern.ch") - (port 7999) - (extra-content "ProxyJump none")) ; no jump needed - ;; Avoid ProxyJump loops. - ,(openssh-host (name "lxplus.cern.ch") - (extra-content "ProxyJump none")) - ,(openssh-host (name "twilkendesktop.cern.ch") - (port 22022) - (forward-x11? #t) - (extra-content (cern-extra-content #t))) - ,@(map (lambda (host user) - (openssh-host (name host) - (user user) - (identity-file "~/.local/share/ssh-keys/alicern_id_rsa"))) - (map car cern-ci-hosts/users) - (map cdr cern-ci-hosts/users)) - ,(openssh-host (name "*.cern.ch") - (user "twilken") - (identity-file "~/.local/share/ssh-keys/cern_id_rsa") - (extra-content (cern-extra-content #f))) - ;; Default SSH key. This isn't in ~/.ssh as `home-openssh-service-type' - ;; manages that and might delete keys there. - ,(openssh-host (name "*") - (identity-file "~/.local/share/ssh-keys/id_rsa") - ;; Remote servers probably don't know about xterm-kitty. - (extra-content "SetEnv TERM=xterm-256color"))))))))) + ;; Default SSH key. This isn't in ~/.ssh as `home-openssh-service-type' + ;; manages that and might delete keys there. + ,(openssh-host + (name "*") + (identity-file "~/.local/share/ssh-keys/id_rsa") + ;; Remote servers probably don't know about xterm-kitty. + (extra-content "SetEnv TERM=xterm-256color")))))))) |