From 6c4a28f1e1b9c3caac9f5f171b6f5909b909872d Mon Sep 17 00:00:00 2001
From: Timo Wilken
Date: Sun, 22 Jan 2023 22:36:29 +0100
Subject: Update SSH client config to use common server config

This should make the SSH config more maintainable by putting things
like SSH port numbers in one common place.
---
 tw/home/common.scm | 131 +++++++++++++++++++++++++----------------------------
 1 file changed, 61 insertions(+), 70 deletions(-)

(limited to 'tw/home/common.scm')

diff --git a/tw/home/common.scm b/tw/home/common.scm
index 46cf8799..17b00666 100644
--- a/tw/home/common.scm
+++ b/tw/home/common.scm
@@ -1,11 +1,13 @@
 (define-module (tw home common)
+  #:use-module (ice-9 string-fun)
   #:use-module (gnu)
   #:use-module (gnu home services)
   #:use-module (gnu home services shells)
   #:use-module (gnu home services shepherd)
   #:use-module (gnu home services ssh)
   #:use-module (guix gexp)
-  #:use-module (tw packages shell))
+  #:use-module (tw packages shell)
+  #:use-module (tw system common))
 
 (use-package-modules admin compression curl databases disk dns file finance
                      gnupg graphviz imagemagick less linux lisp maths
@@ -59,6 +61,12 @@ auto-expand-secmem
        (stop #~(lambda _
                  (invoke "gpg-connect-agent" "killagent" "/bye"))))))))
 
+(define (wireguardify host)
+  (string-replace-substring host ".twilken.net" ".wg"))
+
+(define (make-own-ssh-host host port)
+  (openssh-host (name host) (port port) (user "timo")))
+
 (define-public common-services
   (list
    (service home-zsh-service-type
@@ -161,73 +169,56 @@ auto-expand-secmem
    (service home-openssh-service-type
      (home-openssh-configuration
       (hosts
-       (let ((my-hosts/ports
-              '(("vin.twilken.net" . 22022)
-                ("vin.wg" . 22022)
-                ("pi3.twilken.net" . 51022)
-                ("pi3.wg" . 51022)
-                ("lud.twilken.net" . 22022)
-                ("lud.wg" . 22022)
-                ("matrix.twilken.net" . 22022)))
-             (git-hosts
-              '("github.com" "ssh.github.com" "bitbucket.org" "gitlab.cern.ch"))
-             (cern-ci-hosts/users
-              '(("alimonitor.cern.ch" . "alibuild")
-                ("alinsure.cern.ch" . "alibuild")
-                ("alibuildmac*.cern.ch" . "alibuild")
-                ("aido*osx*.cern.ch" . "alibuild")
-                ("alibuild*.cern.ch" . "root")
-                ("alissandra*.cern.ch" . "root")
-                ("alimesos*.cern.ch" . "root")
-                ("alientest*.cern.ch" . "root")
-                ("aliflow*.cern.ch" . "root")
-                ("alijenkins*.cern.ch" . "root"))))
-
-         (define (cern-extra-content delegate-kerberos-credentials?)
-           (string-append "\
-# Kerberos authentication
-GSSAPIAuthentication yes
-GSSAPIDelegateCredentials " (if delegate-kerberos-credentials? "yes" "no") "
-PreferredAuthentications gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
-ProxyJump \"twilken@lxplus.cern.ch\"
+       ;; Earlier rules take precedence over later ones.
+       `(,(openssh-host (name "*.srcf.net") (user "tw466"))
+         ;; My own machines
+         ,@(map make-own-ssh-host (map car %ssh-ports) (map cdr %ssh-ports))
+         ,@(map make-own-ssh-host (map (compose wireguardify car) %ssh-ports) (map cdr %ssh-ports))
+         ,(openssh-host (name "*.fritz.box") (proxy-command "ssh -v -W '[%h]:%p' lud.twilken.net"))
+         ;; Git hosts
+         ,@(map (lambda (host) (openssh-host (name host) (user "git")))
+                '("github.com" "ssh.github.com" "bitbucket.org"))
+         ,(openssh-host (name "gitlab.cern.ch") (port 7999) (user "git") (proxy-command "none"))
+         ;; BitBucket apparently only supports ssh-rsa.
+         ,(openssh-host
+           (name "bitbucket.org")
+           (host-key-algorithms '("+ssh-rsa"))
+           (accepted-key-types '("+ssh-rsa")))
+         ;; CERN stuff
+         ,(openssh-host (name "lxplus.cern.ch") (proxy-command "none"))  ; avoid ProxyJump loops
+         ,(openssh-host
+           (name "twilkendesktop.cern.ch")
+           (port 22022)
+           (forward-x11? #t)
+           (extra-content "GSSAPIDelegateCredentials yes"))
+         ,@(map (lambda (spec)
+                  (openssh-host (name (car spec)) (user (cdr spec))
+                                (identity-file "~/.local/share/ssh-keys/alicern_id_rsa")))
+                '(("alimonitor.cern.ch" . "alibuild")
+                  ("alinsure.cern.ch" . "alibuild")
+                  ("alibuildmac*.cern.ch" . "alibuild")
+                  ("aido*osx*.cern.ch" . "alibuild")
+                  ("alibuild*.cern.ch" . "root")
+                  ("alissandra*.cern.ch" . "root")
+                  ("alimesos*.cern.ch" . "root")
+                  ("alientest*.cern.ch" . "root")
+                  ("aliflow*.cern.ch" . "root")
+                  ("alijenkins*.cern.ch" . "root")))
+         ,(openssh-host
+           (name "*.cern.ch")
+           (user "twilken")
+           (identity-file "~/.local/share/ssh-keys/cern_id_rsa")
+           (proxy-command "ssh -v -W '[%h]:%p' -l twilken lxplus.cern.ch")
+           (extra-content  "\
+  # Kerberos authentication
+  GSSAPIAuthentication yes
+  GSSAPIDelegateCredentials no
+  PreferredAuthentications gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
 "))
-
-         ;; Earlier rules take precedence over later ones.
-         `(,(openssh-host (name "*.srcf.net") (user "tw466"))
-           ,(openssh-host (name "*.fritz.box")
-                          (extra-content "ProxyJump lud.twilken.net"))
-           ,@(map (lambda (host port)
-                    (openssh-host (name host) (port port) (user "timo")))
-                  (map car my-hosts/ports)
-                  (map cdr my-hosts/ports))
-           ,@(map (lambda (host) (openssh-host (name host) (user "git"))) git-hosts)
-           ;; BitBucket apparently only supports ssh-rsa.
-           ,(openssh-host (name "bitbucket.org")
-                          (host-key-algorithms '("+ssh-rsa"))
-                          (accepted-key-types '("+ssh-rsa")))
-           ,(openssh-host (name "gitlab.cern.ch")
-                          (port 7999)
-                          (extra-content "ProxyJump none"))  ; no jump needed
-           ;; Avoid ProxyJump loops.
-           ,(openssh-host (name "lxplus.cern.ch")
-                          (extra-content "ProxyJump none"))
-           ,(openssh-host (name "twilkendesktop.cern.ch")
-                          (port 22022)
-                          (forward-x11? #t)
-                          (extra-content (cern-extra-content #t)))
-           ,@(map (lambda (host user)
-                    (openssh-host (name host)
-                                  (user user)
-                                  (identity-file "~/.local/share/ssh-keys/alicern_id_rsa")))
-                  (map car cern-ci-hosts/users)
-                  (map cdr cern-ci-hosts/users))
-           ,(openssh-host (name "*.cern.ch")
-                          (user "twilken")
-                          (identity-file "~/.local/share/ssh-keys/cern_id_rsa")
-                          (extra-content (cern-extra-content #f)))
-           ;; Default SSH key. This isn't in ~/.ssh as `home-openssh-service-type'
-           ;; manages that and might delete keys there.
-           ,(openssh-host (name "*")
-                          (identity-file "~/.local/share/ssh-keys/id_rsa")
-                          ;; Remote servers probably don't know about xterm-kitty.
-                          (extra-content "SetEnv TERM=xterm-256color")))))))))
+         ;; Default SSH key. This isn't in ~/.ssh as `home-openssh-service-type'
+         ;; manages that and might delete keys there.
+         ,(openssh-host
+           (name "*")
+           (identity-file "~/.local/share/ssh-keys/id_rsa")
+           ;; Remote servers probably don't know about xterm-kitty.
+           (extra-content "SetEnv TERM=xterm-256color"))))))))
-- 
cgit v1.2.3