john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssh certificates on desktop

Browse Source
This commit is contained in:
John Lancaster
2026-03-15 14:45:33 -05:00
parent cdbfeb101d
commit e1b093929c
4 changed files with 26 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/hosts/john-pc-ubuntu.nix
View File

@@ -42,6 +42,7 @@ in
homeManagerFlakeDir = flakeDir; homeManagerFlakeDir = flakeDir;
docker.enable = true; docker.enable = true;
ssh.certificates.enable = true;
ssh.matchSets = { ssh.matchSets = {
certs = true; certs = true;
appdaemon = true; appdaemon = true;

6
modules/programs/step-client.nix
View File

@@ -19,6 +19,9 @@ in
{ {
# NixOS Options # NixOS Options
options.step-client = { options.step-client = {
hostname = lib.mkOption {
type = lib.types.str;
};
caURL = lib.mkOption { caURL = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "${caURL}"; default = "${caURL}";
@@ -32,9 +35,6 @@ in
type = lib.types.str; type = lib.types.str;
default = "admin"; default = "admin";
}; };
hostname = lib.mkOption {
type = lib.types.str;
};
}; };
imports = with inputs.self.modules.nixos; [ ssh ]; imports = with inputs.self.modules.nixos; [ ssh ];

28
modules/services/ssh.nix
View File

@@ -1,6 +1,7 @@
{inputs, ... }: {inputs, ... }:
let let
userName = "john"; userName = "john";
sshHostPubKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
in in
{ {
flake.modules.nixos.ssh = { pkgs, config, lib, ... }: flake.modules.nixos.ssh = { pkgs, config, lib, ... }:
@@ -10,7 +11,7 @@ in
{ {
options.ssh = { options.ssh = {
certificates = { certificates = {
enable = lib.mkEnableOption "Enable SSH certificates"; enable = lib.mkEnableOption "Enable SSH host certificates";
userCA = lib.mkOption { userCA = lib.mkOption {
type = lib.types.path; type = lib.types.path;
default = ../../keys/ssh_user_ca.pub; default = ../../keys/ssh_user_ca.pub;
@@ -42,7 +43,7 @@ in
programs.ssh.knownHosts = lib.mkIf cfg.certificates.enable { programs.ssh.knownHosts = lib.mkIf cfg.certificates.enable {
"192.168.1.*" = { "192.168.1.*" = {
certAuthority = true; certAuthority = true;
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ="; publicKey = sshHostPubKey;
}; };
}; };
}; };
@@ -64,11 +65,16 @@ in
homelab = lib.mkEnableOption "Enable various Homelab targets"; homelab = lib.mkEnableOption "Enable various Homelab targets";
dev = lib.mkEnableOption "Enable development targets"; dev = lib.mkEnableOption "Enable development targets";
}; };
certificates = {
enable = lib.mkEnableOption "Enable SSH user certificates";
};
}; };
# All this stuff has to be wrapped in a config attribute because of the presence of the options here? # All this stuff has to be wrapped in a config attribute because of the presence of the options here?
config = let config = let
identityFile = config.ssh.IdentityFile; cfg = config.ssh;
identityFile = cfg.IdentityFile;
publicKeyFile = "${identityFile}.pub"; publicKeyFile = "${identityFile}.pub";
certificateFile = "${identityFile}-cert.pub"; certificateFile = "${identityFile}-cert.pub";
userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts"; userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts";
@@ -86,6 +92,14 @@ in
'') '')
]; ];
home.file.".ssh/known_hosts" = {
text = lib.concatStringsSep "\n" (
[
"fded:fb16:653e:25da:be24:11ff:fea0:753f ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9ZqiWPrCwHjxFCiu0lT4rlQs7KyMapxKJQQ5PJP1eh"
] ++ (lib.optional cfg.certificates.enable "@cert-authority 192.168.1.* ${sshHostPubKey}")
);
};
programs.ssh = { programs.ssh = {
enable = true; enable = true;
enableDefaultConfig = false; enableDefaultConfig = false;
@@ -113,7 +127,7 @@ in
forwardAgent = false; forwardAgent = false;
}; };
} }
(lib.mkIf config.ssh.matchSets.appdaemon { (lib.mkIf cfg.matchSets.appdaemon {
"appdaemon" = { "appdaemon" = {
hostname = "192.168.1.242"; hostname = "192.168.1.242";
user = "appdaemon"; user = "appdaemon";
@@ -123,7 +137,7 @@ in
user = "appdaemon"; user = "appdaemon";
}; };
}) })
(lib.mkIf config.ssh.matchSets.certs { (lib.mkIf cfg.matchSets.certs {
"janus" = { "janus" = {
hostname = "janus.john-stream.com"; hostname = "janus.john-stream.com";
user = "root"; user = "root";
@@ -133,7 +147,7 @@ in
user = "john"; user = "john";
}; };
}) })
(lib.mkIf config.ssh.matchSets.homelab { (lib.mkIf cfg.matchSets.homelab {
"docs" = { "docs" = {
hostname = "192.168.1.110"; hostname = "192.168.1.110";
user = "root"; user = "root";
@@ -151,7 +165,7 @@ in
user = "panoptes"; user = "panoptes";
}; };
}) })
(lib.mkIf config.ssh.matchSets.dev { (lib.mkIf cfg.matchSets.dev {
"test-nix" = { "test-nix" = {
hostname = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; hostname = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
user = "john"; user = "john";

2
modules/users/john.nix
View File

@@ -12,7 +12,7 @@ in
keygrip = [ keygrip = [
]; ];
authorizedKeys = [ authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu" # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus"
]; ];
}; };