From bd236ed977e70b4a88bac7b5a6e6be6918f23f06 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Mon, 20 Apr 2026 16:49:31 -0500 Subject: [PATCH] temp --- modules/features/ssh-certs.nix | 171 +++++++++++++++++++++++++++++++ modules/features/step-client.nix | 72 ------------- modules/nix-tools/wrappers.nix | 8 ++ 3 files changed, 179 insertions(+), 72 deletions(-) create mode 100644 modules/features/ssh-certs.nix diff --git a/modules/features/ssh-certs.nix b/modules/features/ssh-certs.nix new file mode 100644 index 0000000..1f98c97 --- /dev/null +++ b/modules/features/ssh-certs.nix @@ -0,0 +1,171 @@ +{ self, inputs, ... }: +let + mkPrincipalArgs = principals: + builtins.concatLists (map (principal: [ "--principal" principal ]) principals); + + signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { + options = { + provisioner = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = "admin"; + }; + extraPrincipals = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + overwrite = lib.mkEnableOption "Overwrite existing cert file?"; + }; + + config = { + binName = "sign-ssh-host-cert"; + package = config.pkgs.step-cli; + extraPackages = with config.pkgs; [ hostname iproute2 systemd ]; + preHook = '' + HOSTNAME=$(hostname -s) + IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do + case "$addr" in + 192.168.1.*/*) + printf '%s\n' "''${addr%%/*}" + break + ;; + esac + done) + echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS" + ''; + args = + [ + "ssh" "certificate" + "--host" "--sign" + "--principal" "$HOSTNAME" + "--principal" "$IP_ADDRESS" + ] + ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ] + ++ lib.optionals config.overwrite [ "-f" ] + ++ mkPrincipalArgs config.extraPrincipals; + postHook = '' + systemctl reload-or-restart sshd + ''; + }; + }); + + signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { + options = { + provisioner = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = "admin"; + }; + validUsers = lib.mkOption { + description = "A list of the user names that this cert will be valid for"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + overwrite = lib.mkEnableOption "Overwrite existing cert file?"; + }; + + config = { + binName = "sign-ssh-user-cert"; + package = config.pkgs.step-cli; + args = [ "ssh" "certificate" "--sign" ] + ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ] + ++ lib.optionals config.overwrite [ "-f" ] + ++ mkPrincipalArgs config.validUsers; + }; + }); + + combinedWrapper = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: { + options = { + user.enable = lib.myEnableOption "Enable SSH user certs"; + }; + + config = { + package = (pkgs.symlinkJoin { + name = "ssh-certs"; + meta.mainProgram = "sign-ssh-host-cert"; + paths = [ + (signHostWrapper.apply { + inherit pkgs; + provisioner = "admin"; + overwrite = true; + # extraPrincipals = [ "home-pc" ]; + }).wrapper + ] + ++ lib.optional config.user.enable (signUserWrapper.apply { + inherit pkgs; + provisioner = "admin"; + overwrite = true; + validUsers = [ "john" "root" "appdaemon" ]; + }).wrapper; + }); + }; + }); +in +{ + perSystem = { system, self', pkgs, lib, ... }: { + packages.ssh-certs = inputs.wrappers.lib.wrapPackage { + inherit pkgs; + package = (pkgs.symlinkJoin { + name = "ssh-certs"; + meta.mainProgram = "sign-ssh-user-cert"; + paths = [ + (signUserWrapper.apply { + inherit pkgs; + provisioner = "admin"; + overwrite = true; + validUsers = [ "john" "root" "appdaemon" ]; + }).wrapper + + (signHostWrapper.apply { + inherit pkgs; + provisioner = "admin"; + overwrite = true; + # extraPrincipals = [ "home-pc" ]; + }).wrapper + ]; + }); + }; + }; + + flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: { + home.packages = [ + inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.myPackage + ]; + }; + + # flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: { + # home.packages = [ + # (inputs.self.wrappers.sshCerts.apply { + # inherit pkgs; + # provisioner = "test prov"; + # }).wrapper + # ]; + # }; + + # flake.wrappers.sshCerts = { wlib, lib }: + # wlib.wrapModule ({ config, wlib, ... }: { + # options = { + # provisioner = lib.mkOption { + # type = lib.types.str; + # default = "admin"; + # }; + # }; + # config = { + # binName = "admin-cow"; + # package = config.pkgs.cowsay; + # args = [ config.provisioner ]; + # }; + # }); + + # inputs.wrappers.lib.wrapModule ({ config, lib, ... }: { + # options = { + # provisioner = lib.mkOption { + # type = lib.types.str; + # default = "admin"; + # }; + # }; + + # config = { + # package = config.pkgs.cowsay; + # args = [ config.provisioner ]; + # }; + # }); +} \ No newline at end of file diff --git a/modules/features/step-client.nix b/modules/features/step-client.nix index 7db95a2..c9f1ffe 100644 --- a/modules/features/step-client.nix +++ b/modules/features/step-client.nix @@ -21,78 +21,6 @@ let ]; }; }); - - mkPrincipalArgs = principals: - builtins.concatLists (map (principal: [ "--principal" principal ]) principals); - - signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { - options = { - provisioner = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = "admin"; - }; - extraPrincipals = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - }; - overwrite = lib.mkEnableOption "Overwrite existing cert file?"; - }; - - config = { - binName = "sign-ssh-host-cert"; - package = config.pkgs.step-cli; - extraPackages = with config.pkgs; [ hostname iproute2 systemd ]; - preHook = '' - HOSTNAME=$(hostname -s) - IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do - case "$addr" in - 192.168.1.*/*) - printf '%s\n' "''${addr%%/*}" - break - ;; - esac - done) - echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS" - ''; - args = - [ - "ssh" "certificate" - "--host" "--sign" - "--principal" "$HOSTNAME" - "--principal" "$IP_ADDRESS" - ] - ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ] - ++ lib.optionals config.overwrite [ "-f" ] - ++ mkPrincipalArgs config.extraPrincipals; - postHook = '' - systemctl reload-or-restart sshd - ''; - }; - }); - - signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { - options = { - provisioner = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = "admin"; - }; - validUsers = lib.mkOption { - description = "A list of the user names that this cert will be valid for"; - type = lib.types.listOf lib.types.str; - default = [ ]; - }; - overwrite = lib.mkEnableOption "Overwrite existing cert file?"; - }; - - config = { - binName = "sign-ssh-user-cert"; - package = config.pkgs.step-cli; - args = [ "ssh" "certificate" "--sign" ] - ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ] - ++ lib.optionals config.overwrite [ "-f" ] - ++ mkPrincipalArgs config.validUsers; - }; - }); in { perSystem = { system, self', pkgs, lib, ... }: { diff --git a/modules/nix-tools/wrappers.nix b/modules/nix-tools/wrappers.nix index 16533b0..09bd098 100644 --- a/modules/nix-tools/wrappers.nix +++ b/modules/nix-tools/wrappers.nix @@ -9,4 +9,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; }; + + options = { + flake = inputs.flake-parts.lib.mkSubmoduleOptions { + myWrappers = inputs.nixpkgs.lib.mkOption { + default = {}; + }; + }; + }; } \ No newline at end of file