diff --git a/modules/features/ssh-certs.nix b/modules/features/ssh-certs.nix index 1f98c97..0804400 100644 --- a/modules/features/ssh-certs.nix +++ b/modules/features/ssh-certs.nix @@ -2,8 +2,34 @@ let mkPrincipalArgs = principals: builtins.concatLists (map (principal: [ "--principal" principal ]) principals); +in +{ + perSystem = { system, self', pkgs, lib, ... }: { + packages.ssh-certs = inputs.wrappers.lib.wrapPackage { + inherit pkgs; + package = (pkgs.symlinkJoin { + name = "ssh-certs"; + meta.mainProgram = "sign-ssh-user-cert"; + paths = [ + (inputs.self.wrappers.signUserWrapper.apply { + inherit pkgs; + provisioner = "admin"; + overwrite = true; + validUsers = [ "john" "root" "appdaemon" ]; + }).wrapper - signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { + (inputs.self.wrappers.signHostWrapper.apply { + inherit pkgs; + provisioner = "admin"; + overwrite = true; + # extraPrincipals = [ "home-pc" ]; + }).wrapper + ]; + }); + }; + }; + + flake.wrappers.signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { options = { provisioner = lib.mkOption { type = lib.types.nullOr lib.types.str; @@ -48,7 +74,7 @@ let }; }); - signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { + flake.wrappers.signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { options = { provisioner = lib.mkOption { type = lib.types.nullOr lib.types.str; @@ -71,101 +97,4 @@ let ++ mkPrincipalArgs config.validUsers; }; }); - - combinedWrapper = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: { - options = { - user.enable = lib.myEnableOption "Enable SSH user certs"; - }; - - config = { - package = (pkgs.symlinkJoin { - name = "ssh-certs"; - meta.mainProgram = "sign-ssh-host-cert"; - paths = [ - (signHostWrapper.apply { - inherit pkgs; - provisioner = "admin"; - overwrite = true; - # extraPrincipals = [ "home-pc" ]; - }).wrapper - ] - ++ lib.optional config.user.enable (signUserWrapper.apply { - inherit pkgs; - provisioner = "admin"; - overwrite = true; - validUsers = [ "john" "root" "appdaemon" ]; - }).wrapper; - }); - }; - }); -in -{ - perSystem = { system, self', pkgs, lib, ... }: { - packages.ssh-certs = inputs.wrappers.lib.wrapPackage { - inherit pkgs; - package = (pkgs.symlinkJoin { - name = "ssh-certs"; - meta.mainProgram = "sign-ssh-user-cert"; - paths = [ - (signUserWrapper.apply { - inherit pkgs; - provisioner = "admin"; - overwrite = true; - validUsers = [ "john" "root" "appdaemon" ]; - }).wrapper - - (signHostWrapper.apply { - inherit pkgs; - provisioner = "admin"; - overwrite = true; - # extraPrincipals = [ "home-pc" ]; - }).wrapper - ]; - }); - }; - }; - - flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: { - home.packages = [ - inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.myPackage - ]; - }; - - # flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: { - # home.packages = [ - # (inputs.self.wrappers.sshCerts.apply { - # inherit pkgs; - # provisioner = "test prov"; - # }).wrapper - # ]; - # }; - - # flake.wrappers.sshCerts = { wlib, lib }: - # wlib.wrapModule ({ config, wlib, ... }: { - # options = { - # provisioner = lib.mkOption { - # type = lib.types.str; - # default = "admin"; - # }; - # }; - # config = { - # binName = "admin-cow"; - # package = config.pkgs.cowsay; - # args = [ config.provisioner ]; - # }; - # }); - - # inputs.wrappers.lib.wrapModule ({ config, lib, ... }: { - # options = { - # provisioner = lib.mkOption { - # type = lib.types.str; - # default = "admin"; - # }; - # }; - - # config = { - # package = config.pkgs.cowsay; - # args = [ config.provisioner ]; - # }; - # }); } \ No newline at end of file diff --git a/modules/features/step-client.nix b/modules/features/step-client.nix index c9f1ffe..e45a732 100644 --- a/modules/features/step-client.nix +++ b/modules/features/step-client.nix @@ -1,6 +1,32 @@ -{ self, inputs, ... }: -let - bootstrapWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { +{ self, inputs, ... }: { + flake.modules.homeManager.step-client = { config, pkgs, lib, ... }: { + home.file.".step/config/defaults.json".text = builtins.toJSON { + ca-url = "https://janus.john-stream.com/"; + fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; + root = ../hosts/janus/root_ca.crt; + }; + home.packages = [ + inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.step-bootstrap + ]; + # sops.secrets."step-ca-defaults" = { + # sopsFile = ../hosts/janus/defaults.json; + # format = "json"; + # key = ""; # This causes it to decode the whole file + # path = "${config.home.homeDirectory}/defaults.json"; + # mode = "0400"; + # }; + }; + + perSystem = { system, pkgs, lib, ... }: { + packages.step-bootstrap = (inputs.self.wrappers.stepBootstrap.apply { + inherit pkgs; + caURL = "https://janus.john-stream.com"; + fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; + install = true; + }).wrapper; + }; + + flake.wrappers.stepBootstrap = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { options = { caURL = lib.mkOption { type = lib.types.str; @@ -12,46 +38,14 @@ let }; config = { - binName = "bootstrap"; - package = config.pkgs.step-cli; # (1)! + binName = "step-bootstrap"; + package = config.pkgs.step-cli; args = [ "ca" "bootstrap" "--ca-url" config.caURL "--fingerprint" config.fingerprint - ]; + ] + ++ lib.optional config.install "--install"; }; }); -in -{ - perSystem = { system, self', pkgs, lib, ... }: { - packages.step-client = inputs.wrappers.lib.wrapPackage { - inherit pkgs; - package = (pkgs.symlinkJoin { - name = "step"; - meta.mainProgram = "step"; - paths = with pkgs; [ - self'.packages.step-bootstrap - (signHostWrapper.apply { - inherit pkgs; - provisioner = "admin"; - overwrite = true; - # extraPrincipals = [ "home-pc" ]; - }).wrapper - (signUserWrapper.apply { - inherit pkgs; - provisioner = "admin"; - overwrite = true; - validUsers = [ "john" "root" "appdaemon" ]; - }).wrapper - ]; - }); - }; - - packages.step-bootstrap = (bootstrapWrapper.apply { - inherit pkgs; - caURL = "https://janus.john-stream.com"; - fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; - install = true; - }).wrapper; - }; } \ No newline at end of file diff --git a/modules/hosts/janus/default.nix b/modules/hosts/janus/default.nix index f48d313..30bd608 100644 --- a/modules/hosts/janus/default.nix +++ b/modules/hosts/janus/default.nix @@ -2,8 +2,6 @@ let username = "john"; hostname = "janus"; - ca-url = "https://janus.john-stream.com/"; - fingerprint = builtins.readFile ./fingerprint; in { flake.modules.nixos.janus-ca = @@ -39,7 +37,8 @@ in config = { environment.etc = lib.mkIf cfgInEtc { "step-ca/defaults.json".text = builtins.toJSON { - inherit ca-url fingerprint; + ca-url = "https://janus.john-stream.com/"; + fingerprint = builtins.readFile ./fingerprint; root = "/etc/${certRootEtcPath}"; }; "${certRootEtcPath}".source = ./root_ca.crt; @@ -52,10 +51,10 @@ in flake.modules.homeManager.janus-ca = { config, ... }: { home.file.".step/config/defaults.json".text = builtins.toJSON { - inherit ca-url fingerprint; - root = "${config.home.homeDirectory}/.step/certs/root_ca.crt"; + ca-url = "https://janus.john-stream.com/"; + fingerprint = builtins.readFile ./fingerprint; + root = ./root_ca.crt; }; - home.file.".step/certs/root_ca.crt".source = ./root_ca.crt; }; flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem { diff --git a/modules/nix-tools/wrappers.nix b/modules/nix-tools/wrappers.nix index 09bd098..2ad38de 100644 --- a/modules/nix-tools/wrappers.nix +++ b/modules/nix-tools/wrappers.nix @@ -1,5 +1,5 @@ { self, inputs, ... }: { - flake-file.inputs = { + config.flake-file.inputs = { wrapper-modules = { url = "github:BirdeeHub/nix-wrapper-modules"; inputs.nixpkgs.follows = "nixpkgs"; @@ -11,8 +11,9 @@ }; options = { + # This is what allows wrappers to be defined in flake.wrappers. throughout different flake-parts modules flake = inputs.flake-parts.lib.mkSubmoduleOptions { - myWrappers = inputs.nixpkgs.lib.mkOption { + wrappers = inputs.nixpkgs.lib.mkOption { default = {}; }; };