john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

moved sign-ssh-cert

Browse Source
This commit is contained in:
John Lancaster
2026-03-15 15:20:34 -05:00
parent ff9a817ef8
commit da2de12193
2 changed files with 26 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
modules/programs/step-client.nix
View File

@@ -82,6 +82,9 @@ in
flake.modules.homeManager.step-client = { config, pkgs, lib, ... }: flake.modules.homeManager.step-client = { config, pkgs, lib, ... }:
let let
cfg = config.step-client; cfg = config.step-client;
firstPrincipal = lib.head cfg.principals;
principalArgs = lib.concatMapStrings
(principal: "--principal ${principal}") cfg.principals;
in in
{ {
options.step-client = { options.step-client = {
@@ -110,6 +113,14 @@ in
type = lib.types.str; type = lib.types.str;
default = "admin"; default = "admin";
}; };
principals = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
publicKeyFile = lib.mkOption {
type = lib.types.str;
default = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile; home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile;
@@ -118,6 +129,17 @@ in
fingerprint = cfg.fingerprint; fingerprint = cfg.fingerprint;
root = "${cfg.rootCertFile.path}"; root = "${cfg.rootCertFile.path}";
}; };
sops.secrets."janus/admin_jwk".mode = "0400";
home.packages = lib.optionals cfg.certificates.enable [
(pkgs.writeShellScriptBin "sign-ssh-cert" ''
${lib.getExe pkgs.step-cli} ssh certificate \
--sign \
${principalArgs} \
--provisioner "${cfg.sshHostProvisioner}" \
--provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \
"${firstPrincipal}" "${cfg.publicKeyFile}"
'')
];
}; };
}; };
} }

21
modules/services/ssh.nix
View File

@@ -45,6 +45,10 @@ in
certAuthority = true; certAuthority = true;
publicKey = sshHostCAPubKey; publicKey = sshHostCAPubKey;
}; };
"*.john-stream.com" = {
certAuthority = true;
publicKey = sshHostCAPubKey;
};
}; };
}; };
}; };
@@ -85,23 +89,6 @@ in
provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path; provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
sshHostProvisioner = config.step-client.sshHostProvisioner; sshHostProvisioner = config.step-client.sshHostProvisioner;
in { in {
sops.secrets."janus/admin_jwk" = {
mode = "0400";
};
home.packages = lib.optionals cfg.certificates.enable [
(pkgs.writeShellScriptBin "sign-ssh-cert" ''
${lib.getExe pkgs.step-cli} ssh certificate \
--sign \
--principal ${userName} \
--principal root \
--principal appdaemon \
--provisioner "${sshHostProvisioner}" \
--provisioner-password-file "${provisionerPasswordPath}" \
${userName} ${publicKeyFile}
'')
];
home.file.".ssh/known_hosts" = { home.file.".ssh/known_hosts" = {
text = lib.concatStringsSep "\n" ( text = lib.concatStringsSep "\n" (
[ [