services.openssh -> programs.ssh

See https://github.com/NixOS/nixpkgs/pull/312472.

This nixpkgs PR (targeting 24.11) broke merging of attributes in the
deprecated attrset. As the deprecated attrset is likely to be removed
altogether soon, instead of reporting upstream, and all our >24.05
systems are in randomcat's repo for now, we judged that the course of
least resistance was just to patch the config on a separate branch
until 24.11 is released.

hosts.nix

@@ -115,13 +115,29 @@ with lib;
       wireguardKey = "birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA=";
     };
 
-    # kalessin = {
-    #   # hostKey = "";
-    #   endpoint = "kalessin.birdsong.network";
-    #   ipv4 = "10.127.1.3";
-    #   ipv6 = "fd70:81ca:0f8f:1::3";
-    #   # wireguardKey = "";
-    # };
+    kalessin = {
+      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPt3iSSmgnlsv1/jafgZgI7o8UuXzcAL45hID2ThfS8 root@kalessin";
+      endpoint = "kalessin.birdsong.network";
+      ipv4 = "10.127.1.3";
+      ipv6 = "fd70:81ca:0f8f:1::3";
+      wireguardKey = "9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ=";
+    };
+
+    reese = {
+      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd0qGxvcMLDwX1bqYpwOUL5c/CIgBllMFr+bGkwiwAn root@reese";
+      endpoint = "reese.internetcat.org";
+      ipv4 = "10.127.1.5";
+      ipv6 = "fd70:81ca:0f8f:1::5";
+      wireguardKey = "K/wArdwedMwjQULPOjOrPoEwsevaRhBZ3rUrH7pNWHM=";
+    };
+
+    bear = {
+      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZ9Kn1CIcDHaleKHf7zO6O30Rbxs/FwL0/Ie+mEjZJr root@bear";
+      endpoint = "bear.internetcat.org";
+      ipv4 = "10.127.1.6";
+      ipv6 = "fd70:81ca:0f8f:1::6";
+      wireguardKey = "mXWQo1Vn2YFr7OhFNc3g7Zbcf/qnwuLx8HHCn6HKwBc=";
+    };
 
     tohru = {
       hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru";
@@ -132,14 +148,31 @@ with lib;
       wireguardKey = "lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18=";
     };
 
-    # kilgharrah = {
-    #   # hostKey = "";
-    #   subnet = "weyrhold";
-    #   endpoint = "192.168.2.1";
-    #   ipv4 = "10.127.3.1";
-    #   ipv6 = "fd70:81ca:0f8f:3::1";
-    #   # wireguardKey = "";
-    # };
+    groves = {
+      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQNZ/Q+x7mDYfYXftpZpWkfPByyMBbYmVFobM4vSDW2 root@groves";
+      subnet = "roaming";
+      ipv4 = "10.127.2.2";
+      ipv6 = "fd70:81ca:0f8f:2::2";
+      wireguardKey = "Tsbw77gIsoa3eBWZpQwZAM6EPpq+7yS33qoFHS4tXlY=";
+    };
+
+    kilgharrah = {
+      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah";
+      subnet = "weyrhold";
+      endpoint = "192.168.2.1";
+      ipv4 = "10.127.3.1";
+      ipv6 = "fd70:81ca:0f8f:3::1";
+      wireguardKey = "LXQVU0MFKVO/mml5krHnf6NcL4GxF6XFJmvpmjrLBFA=";
+    };
+
+    elucredassa = {
+      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+Y/vqGNc1wXUAg4XMAAcLupkggywj2LpYDwA16ONbH root@elucredassa";
+      subnet = "weyrhold";
+      endpoint = "192.168.2.2";
+      ipv4 = "10.127.3.2";
+      ipv6 = "fd70:81ca:0f8f:3::2";
+      wireguardKey = "hwgf4efFNOtQwCDMpZI4uyPDjzPzHF056pWgobGaxRY=";
+    };
 
     shaw = {
       hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw";

peering.nix

@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 
-with lib;
 let
+  inherit (lib) types mkIf mkMerge mkOption mkEnableOption optionals filterAttrs mapAttrsToList;
   cfg = config.birdsong.peering;
   hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName;
   hosts = config.birdsong.hosts;
@@ -31,12 +31,27 @@ in
       type = types.bool;
     };
     privateKeyFile = mkOption {
+      default = null;
       description = ''
-        Path to the private key for this peer, as generated by `wg genkey`. Must
-        be readable by the user "systemd-network"; systemd.netdev(5) recommends
-        it be owned by "root:systemd-network" with a "0640" file mode.
+        Path to the private key for this peer, as generated by
+        {command}`wg genkey`. Must be readable by the user "systemd-network";
+        systemd.netdev(5) recommends it be owned by "root:systemd-network" with
+        a "0640" file mode. Set exactly one of this or
+        {option}`birdsong.peering.privateKeyCredential`.
       '';
-      type = types.path;
+      type = with types; nullOr str;
+    };
+    privateKeyCredential = mkOption {
+      default = null;
+      description = ''
+        Name of a systemd credential containing a private key for this peer, as
+        generated by {command}`wg genkey`. Set exactly one of this or
+        {option}`birdsong.peering.privateKeyFile`.
+
+        To load the credential from an encrypted credential file, set
+        {option}`systemd.services.systemd-networkd.serviceConfig.LoadCredentialEncrypted`.
+      '';
+      type = with types; nullOr str;
     };
     persistentKeepalive = mkOption {
       default = 0;
@@ -60,8 +75,8 @@ in
         message = "birdsong depends on networkd. systemd.network.enable must be true";
       }
       {
-        assertion = cfg ? privateKeyFile;
-        message = "birdsong.peering.privateKeyFile must be set";
+        assertion = (cfg.privateKeyCredential != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCredential == null);
+        message = "exactly one of birdsong.peering.privateKeyCredential or birdsong.peering.privateKeyFile must be set";
       }
       {
         assertion = hostName != null;
@@ -77,33 +92,38 @@ in
     networking.firewall.allowedUDPPorts = mkIf cfg.openPorts [ host.port ];
 
     systemd.network = {
-      enable = true;
-
       netdevs."30-birdsong" = {
         netdevConfig = {
           Name = cfg.interface;
           Kind = "wireguard";
           Description = "wireguard tunnel to the birdsong network";
         };
-        wireguardConfig = {
-          PrivateKeyFile = cfg.privateKeyFile;
-          ListenPort = host.port;
-        };
+
+        wireguardConfig = mkMerge [
+          {
+            ListenPort = host.port;
+          }
+          (mkIf (cfg.privateKeyCredential != null) {
+            PrivateKey = "@${cfg.privateKeyCredential}";
+          })
+          (mkIf (cfg.privateKeyFile != null) {
+            PrivateKeyFile = cfg.privateKeyFile;
+          })
+        ];
+
         wireguardPeers =
           let
             canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet);
           in
           mapAttrsToList
             (name: peer: {
-              wireguardPeerConfig = {
-                PublicKey = peer.wireguardKey;
-                AllowedIPs = [ peer.ipv4 peer.ipv6 ]
-                  ++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
-                Endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}";
-                PersistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive;
-              };
+              PublicKey = peer.wireguardKey;
+              AllowedIPs = [ peer.ipv4 peer.ipv6 ]
+                ++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
+              Endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}";
+              PersistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive;
             })
-            (filterAttrs (name: peer: peer != host && (host.subnet == "internet" || canDirectPeer host peer)) hosts);
+            (filterAttrs (name: peer: peer != host && (canDirectPeer host peer || canDirectPeer peer host)) hosts);
       };
 
       networks."30-birdsong" = {
@@ -112,5 +132,12 @@ in
           ++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
       };
     };
+
+    programs.ssh.knownHosts = lib.mapAttrs'
+      (name: host: lib.nameValuePair ("birdsong_" + name) {
+        publicKey = host.hostKey;
+        hostNames = [ host.ipv4 host.ipv6 ];
+      })
+      hosts;
   };
 }