john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

step-ssh-user

Browse Source
This commit is contained in:
John Lancaster
2026-03-15 16:15:27 -05:00
parent 2ace9cd2dd
commit b3bcfdcfcb
2 changed files with 27 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
modules/services/ssh.nix
View File

@@ -57,10 +57,6 @@ in
flake.modules.homeManager.ssh = { pkgs, config, lib, ... }:
{
imports = with inputs.self.modules.homeManager; [
step-client
];
options.ssh = {
IdentityFile = lib.mkOption {
# Intentionally not using a path type here because that will end up with the private key getting copied into the store
@@ -69,16 +65,25 @@ in
description = "Path to the SSH identity file.";
};
certificates = {
enable = lib.mkEnableOption "Enable SSH user certificates";
# sshCertProvisioner = lib.mkOption {
# type = lib.types.str;
# default = "admin";
# };
};
knownHostsFile = lib.mkOption {
type = lib.types.str;
default = "${config.home.homeDirectory}/.ssh/known_hosts";
};
matchSets = {
appdaemon = lib.mkEnableOption "Enable AppDaemon SSH targets";
certs = lib.mkEnableOption "Enable Janus and Soteria SSH targets";
homelab = lib.mkEnableOption "Enable various Homelab targets";
dev = lib.mkEnableOption "Enable development targets";
};
certificates = {
enable = lib.mkEnableOption "Enable SSH user certificates";
};
};
# All this stuff has to be wrapped in a config attribute because of the presence of the options here?
@@ -87,9 +92,7 @@ in
identityFile = cfg.IdentityFile;
publicKeyFile = "${identityFile}.pub";
certificateFile = "${identityFile}-cert.pub";
userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts";
provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
sshHostProvisioner = config.step-client.sshHostProvisioner;
in {
home.file.".ssh/known_hosts" = {
text = lib.concatStringsSep "\n" (
@@ -122,7 +125,7 @@ in
inherit identityFile certificateFile;
hashKnownHosts = false;
userKnownHostsFile = userKnownHostsFile;
userKnownHostsFile = cfg.knownHostsFile;
addKeysToAgent = "yes";
forwardAgent = false;