sign-ssh-user-cert
This commit is contained in:
John Lancaster
@@ -69,6 +69,30 @@ let
|
||||
'';
|
||||
};
|
||||
});
|
||||
|
||||
signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
|
||||
options = {
|
||||
provisioner = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = "admin";
|
||||
};
|
||||
validUsers = lib.mkOption {
|
||||
description = "A list of the user names that this cert will be valid for";
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
};
|
||||
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
|
||||
};
|
||||
|
||||
config = {
|
||||
binName = "sign-ssh-user-cert";
|
||||
package = config.pkgs.step-cli;
|
||||
args = [ "ssh" "certificate" "--sign" ]
|
||||
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
|
||||
++ lib.optionals config.overwrite [ "-f" ]
|
||||
++ mkPrincipalArgs config.validUsers;
|
||||
};
|
||||
});
|
||||
in
|
||||
{
|
||||
perSystem = { system, self', pkgs, lib, ... }: {
|
||||
@@ -85,6 +109,12 @@ in
|
||||
overwrite = true;
|
||||
# extraPrincipals = [ "home-pc" ];
|
||||
}).wrapper
|
||||
(signUserWrapper.apply {
|
||||
inherit pkgs;
|
||||
provisioner = "admin";
|
||||
overwrite = true;
|
||||
validUsers = [ "john" "user" "appdaemon" ];
|
||||
}).wrapper
|
||||
];
|
||||
});
|
||||
};
|
||||
|
||||
@@ -86,7 +86,6 @@ in
|
||||
home-manager.users."${username}" = {
|
||||
imports = with inputs.self.modules.homeManager; [
|
||||
mysops
|
||||
step-ssh-user
|
||||
];
|
||||
shell.program = "zsh";
|
||||
docker.enable = true;
|
||||
|
||||
@@ -58,11 +58,6 @@ in
|
||||
homeManagerFlakeDir = flakeDir;
|
||||
docker.enable = true;
|
||||
|
||||
step-ssh-user = {
|
||||
enable = true;
|
||||
principals = ["root" "${username}" "appdaemon"];
|
||||
provisioner = "admin";
|
||||
};
|
||||
ssh = {
|
||||
certificates.enable = true;
|
||||
knownHosts = [
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
{ self, inputs, ... }: {
|
||||
#
|
||||
# Home Manager Module
|
||||
#
|
||||
flake.modules.homeManager.step-ssh-user = { config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.step-ssh-user;
|
||||
firstPrincipal = lib.head cfg.principals;
|
||||
principalArgs = lib.concatMapStringsSep " "
|
||||
(principal: "--principal \"${principal}\"") cfg.principals;
|
||||
in
|
||||
{
|
||||
options.step-ssh-user = {
|
||||
enable = lib.mkEnableOption "opionated step client config for SSH certs";
|
||||
provisioner = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "admin";
|
||||
};
|
||||
principals = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
sops.secrets."janus/admin_jwk".mode = "0400";
|
||||
home.packages = with pkgs; [
|
||||
(writeShellScriptBin "sign-ssh-cert" ''
|
||||
${lib.getExe pkgs.step-cli} ssh certificate \
|
||||
--sign \
|
||||
${principalArgs} \
|
||||
--provisioner "${cfg.provisioner}" \
|
||||
--provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \
|
||||
"${firstPrincipal}" "${config.ssh.identityFile}.pub"
|
||||
'')
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user