john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssh host cert working

Browse Source
This commit is contained in:
John Lancaster
2026-03-15 11:22:09 -05:00
parent ec79dc824e
commit 52390daf45
4 changed files with 72 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
keys/root_ca.crt Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBlDCCATqgAwIBAgIRAKDvqOX8WVhJ/ev02Y1gXKQwCgYIKoZIzj0EAwIwKDEO
MAwGA1UEChMFSmFudXMxFjAUBgNVBAMTDUphbnVzIFJvb3QgQ0EwHhcNMjUxMjE4
MDYwMjI4WhcNMzUxMjE2MDYwMjI4WjAoMQ4wDAYDVQQKEwVKYW51czEWMBQGA1UE
AxMNSmFudXMgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMt6kNpx
Q9vySc1N6F9jJObeQXZI+9f33E1cN4zbEuNpmtpRl0WaPa1AGNbSi5sIbiH7wDv2
llXfCqYWkeoCE5mjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/
AgEBMB0GA1UdDgQWBBRo55byyyo2sePP+8zz+uM4mXNV+zAKBggqhkjOPQQDAgNI
ADBFAiB6zxTbvWMZWgDQhKGh+MnGQQ7f8UGhzinOfRG7a/HdOAIhAIVWt6MLl6QU
FOvl/qIFGd7YJeWU5aahPABVttxjSMn/
-----END CERTIFICATE-----

5
keys/secrets.yaml
View File

@@ -1,5 +1,6 @@
janus: janus:
fingerprint: ENC[AES256_GCM,data:A0eNE3nX8hVq8m4bNFvkTGR15Xh9QV44JpOJFyhZojPOTirRGEq/MCSNIqpKfoFUB4TXdRZIN95pAoNlO7Z2dQ==,iv:3TQ9ZcjRmnQzkNA5Cv/cpEIT8gTJ1w3cTjTVtxtuzq4=,tag:hIwcjdZ6R8UzUgh/VoDz3A==,type:str] fingerprint: ENC[AES256_GCM,data:A0eNE3nX8hVq8m4bNFvkTGR15Xh9QV44JpOJFyhZojPOTirRGEq/MCSNIqpKfoFUB4TXdRZIN95pAoNlO7Z2dQ==,iv:3TQ9ZcjRmnQzkNA5Cv/cpEIT8gTJ1w3cTjTVtxtuzq4=,tag:hIwcjdZ6R8UzUgh/VoDz3A==,type:str]
admin_jwk: ENC[AES256_GCM,data:HhsnsCsR87ItjEKP3MsHpxb/WZHvxRrMIhbBgW7qq/0=,iv:b5MKd5TFkxFjd1zY0Lfi2QDv4sLmyKn7riW8s/EfDeA=,tag:GkGfyAM2RtKzuo567bAjiA==,type:str]
test-nix: test-nix:
ssh_host_key: ENC[AES256_GCM,data:04CRKNCycc8Dre44ERtytmX6NHdZOIds95ckYzmi/i74qEYyN/L5XsuKKmjH2WCn3brvK4pZLLIZWzxC5VJ85q+O8Tfd3qdFROTG5qYRvmK5huxphPaIWSUI2ZEdLqecpRtmq7Zeq+Xa2+JKC0ehg2sqavotkPM5vIeVsaStD5rMVSgnuGaTS3WuPPfEjJPfsCyGPup4ysgxKxfc3JXOR+T8t6w4ccG0Si6tGz6io0Sl9tgPzrYqwqTaMtWLUA50luJg+D8ZxpMjpqFNbIry2tKwettzwXtGz7xGYnjvuk+1sCdYl8PXOMRT2KwAy5usCJsWFRTXJzZ5kxzwAYLwmhlsfPuxwTrR5fRETJPglRP/1muq8piIZn6yHtq9dCSrNcDCZnjnjG+cby28yPLYKhDgVNF5DObob8e6Fp/nP00sdi4Bt1aHRR5pjK/9mpsWE6ikO83SUi4xSoL1LKZM2kC5DL8XBJP7nWQTwijp84m3htMKvrKfFo68G9xP4v/DhVcHLsoNGLytH5omAuGL,iv:0cAtrXlPBis8nYw1XT4kSPRuwVkq0XSh6jjY9mpewIA=,tag:WFsiOe/l8cVicOqX2C94xA==,type:str] ssh_host_key: ENC[AES256_GCM,data:04CRKNCycc8Dre44ERtytmX6NHdZOIds95ckYzmi/i74qEYyN/L5XsuKKmjH2WCn3brvK4pZLLIZWzxC5VJ85q+O8Tfd3qdFROTG5qYRvmK5huxphPaIWSUI2ZEdLqecpRtmq7Zeq+Xa2+JKC0ehg2sqavotkPM5vIeVsaStD5rMVSgnuGaTS3WuPPfEjJPfsCyGPup4ysgxKxfc3JXOR+T8t6w4ccG0Si6tGz6io0Sl9tgPzrYqwqTaMtWLUA50luJg+D8ZxpMjpqFNbIry2tKwettzwXtGz7xGYnjvuk+1sCdYl8PXOMRT2KwAy5usCJsWFRTXJzZ5kxzwAYLwmhlsfPuxwTrR5fRETJPglRP/1muq8piIZn6yHtq9dCSrNcDCZnjnjG+cby28yPLYKhDgVNF5DObob8e6Fp/nP00sdi4Bt1aHRR5pjK/9mpsWE6ikO83SUi4xSoL1LKZM2kC5DL8XBJP7nWQTwijp84m3htMKvrKfFo68G9xP4v/DhVcHLsoNGLytH5omAuGL,iv:0cAtrXlPBis8nYw1XT4kSPRuwVkq0XSh6jjY9mpewIA=,tag:WFsiOe/l8cVicOqX2C94xA==,type:str]
restic_password: restic_password:
@@ -35,7 +36,7 @@ sops:
Z1orRCtkTDVXSktuck5pTmV4K05qZHMKZlHHu07q+GnyDDgdwW2Ic3P23PmoSPwn Z1orRCtkTDVXSktuck5pTmV4K05qZHMKZlHHu07q+GnyDDgdwW2Ic3P23PmoSPwn
WuNLZdlZQleROaRb+zpD+9P1HGGJ3mWAlNlnmjGrRk453k1PbBQ5Og== WuNLZdlZQleROaRb+zpD+9P1HGGJ3mWAlNlnmjGrRk453k1PbBQ5Og==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-14T17:37:49Z" lastmodified: "2026-03-15T15:06:29Z"
mac: ENC[AES256_GCM,data:wONHhXL78AnuoH8SMxTbkFTaStiHvJsNHU6srp6OvqG5zVfHu3nYrJjPEZj3QJweZ4xP9KuYtQS5WX/vqFX6bhMB4NUSkvI+jzDESZoEt/Ulto3yoFwovqxSZqB4deSPCQDDmDetSXBQEcVAc4Rf8Om/uKbn2iIdEWP89BPCNTs=,iv:n4sSiWICXLyWJSoB7eG73Xpa2ClCg8kQrBtpF6QGJwQ=,tag:4aOjzbl4iIqG/0aXlCbhUQ==,type:str] mac: ENC[AES256_GCM,data:cF/TJ8VkzrHRUrO5iGdRdlFtqV/5EQ15JwQKIywJvsh0NERK67T21czSP7923MiL0u5QTVPn/rO8R5E/8gBu3r8+fLq+CFl9PDQHEX2JhnYOD5WZR412WMZq3MVR94IMTOrQANMVpS4uhMyvnrqOe4AenxLDyzrYhkwf1KQh4w0=,iv:Qwy8z4uXGMlf+kTMNiE42M9l8LtSJ+O7diknRrsSeYI=,tag:qlCY9r8HnEDmq/jw59C/sg==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.1 version: 3.12.1

2
modules/hosts/janus.nix
View File

@@ -14,7 +14,7 @@ in
nixos.zsh nixos.zsh
nixos.docker nixos.docker
{ {
step-client.hostname = hostname;
home-manager.users."${username}" = { home-manager.users."${username}" = {
imports = with inputs.self.modules.homeManager; [ imports = with inputs.self.modules.homeManager; [

68
modules/programs/step-client.nix
View File

@@ -12,13 +12,29 @@ in
cfg = config.step-client; cfg = config.step-client;
stepBin = lib.getExe pkgs.step-cli; stepBin = lib.getExe pkgs.step-cli;
rootCertPath = "/etc/step/certs/root_ca.crt"; rootCertPath = "/etc/step/certs/root_ca.crt";
provisionerPasswordPath = config.sops.secrets."step/provisioner_password".path; provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
sshKeyPath = "/etc/ssh/ssh_host_ed25519_key"; sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
sshCertPath = "/etc/ssh/ssh_host_ed25519_key-cert.pub"; sshCertPath = "${sshKeyPath}-cert.pub";
in in
{ {
# NixOS Options # NixOS Options
options.step-client = { options.step-client = {
caURL = lib.mkOption {
type = lib.types.str;
default = "${caURL}";
};
rootCertFile = lib.mkOption {
type = lib.types.path;
description = "Public Step root CA certificate file from the repo.";
default = ../../keys/root_ca.crt;
};
sshHostProvisioner = lib.mkOption {
type = lib.types.str;
default = "admin";
};
hostname = lib.mkOption {
type = lib.types.str;
};
}; };
imports = with inputs.self.modules.nixos; [ ssh ]; imports = with inputs.self.modules.nixos; [ ssh ];
@@ -28,15 +44,32 @@ in
home-manager.sharedModules = with inputs.self.modules; [ home-manager.sharedModules = with inputs.self.modules; [
homeManager.step-client homeManager.step-client
]; ];
sops.secrets."janus/fingerprint" = { };
sops.secrets."janus/admin_jwk" = {
owner = "root";
group = "root";
mode = "0400";
};
environment.etc."step/certs/root_ca.crt".source = cfg.rootCertFile;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
(writeShellScriptBin "step-bootstrap" '' step-cli
set -euo pipefail (writeShellScriptBin "ssh-host-cert-renew" ''
step ca bootstrap --ca-url ${caURL} --fingerprint ${stepFingerprint} ${lib.getExe pkgs.step-cli} ssh certificate \
--host --sign \
--root "${rootCertPath}" \
--ca-url ${cfg.caURL} \
--provisioner "${cfg.sshHostProvisioner}" \
--provisioner-password-file "${provisionerPasswordPath}" \
--principal "${cfg.hostname}" \
--principal "${cfg.hostname}.john-stream.com" \
"${cfg.hostname}" "${sshKeyPath}.pub"
'') '')
]; ];
networking.nameservers = [ "192.168.1.150" ]; networking.nameservers = [ "192.168.1.150" ];
networking.dhcpcd.extraConfig = "nohook resolv.conf"; networking.dhcpcd.extraConfig = "nohook resolv.conf";
}; };
}; };
@@ -49,8 +82,8 @@ in
in in
{ {
options.step-client = { options.step-client = {
enable = lib.mkEnableOption "opionated step client config"; enable = lib.mkEnableOption "opionated step client config for SSH certs";
caUrl = lib.mkOption { caURL = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "${caURL}"; default = "${caURL}";
}; };
@@ -58,12 +91,25 @@ in
type = lib.types.str; type = lib.types.str;
default = "${stepFingerprint}"; default = "${stepFingerprint}";
}; };
rootCertFile = {
path = lib.mkOption {
type = lib.types.str;
description = "Path to where the root_ca.crt file will be stored for the user";
default = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
};
source = lib.mkOption {
type = lib.types.path;
description = "Nix path to the root cert file within the repo";
default = ../../keys/root_ca.crt;
};
};
}; };
config = { config = lib.mkIf cfg.enable {
home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile;
home.file.".step/config/defaults.json".text = builtins.toJSON { home.file.".step/config/defaults.json".text = builtins.toJSON {
"ca-url" = cfg.caUrl; "ca-url" = cfg.caURL;
fingerprint = cfg.fingerprint; fingerprint = cfg.fingerprint;
root = "${config.home.homeDirectory}/.step/certs/root_ca.crt"; root = "${cfg.rootCertFile.path}";
}; };
}; };
}; };