john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

better ssh certs wrappers

Browse Source
This commit is contained in:
John Lancaster
2026-04-20 21:13:19 -05:00
parent bd236ed977
commit e75951318d
4 changed files with 69 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/features/ssh-certs.nix
+28 -99
View File
@@ -2,8 +2,34 @@
let
mkPrincipalArgs = principals:
builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.ssh-certs = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "ssh-certs";
meta.mainProgram = "sign-ssh-user-cert";
paths = [
(inputs.self.wrappers.signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
(inputs.self.wrappers.signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
];
});
};
};
flake.wrappers.signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
@@ -48,7 +74,7 @@ let
};
});
signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
flake.wrappers.signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
@@ -71,101 +97,4 @@ let
++ mkPrincipalArgs config.validUsers;
};
});
combinedWrapper = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
user.enable = lib.myEnableOption "Enable SSH user certs";
};
config = {
package = (pkgs.symlinkJoin {
name = "ssh-certs";
meta.mainProgram = "sign-ssh-host-cert";
paths = [
(signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
]
++ lib.optional config.user.enable (signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper;
});
};
});
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.ssh-certs = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "ssh-certs";
meta.mainProgram = "sign-ssh-user-cert";
paths = [
(signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
(signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
];
});
};
};
flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: {
home.packages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.myPackage
];
};
# flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: {
# home.packages = [
# (inputs.self.wrappers.sshCerts.apply {
# inherit pkgs;
# provisioner = "test prov";
# }).wrapper
# ];
# };
# flake.wrappers.sshCerts = { wlib, lib }:
# wlib.wrapModule ({ config, wlib, ... }: {
# options = {
# provisioner = lib.mkOption {
# type = lib.types.str;
# default = "admin";
# };
# };
# config = {
# binName = "admin-cow";
# package = config.pkgs.cowsay;
# args = [ config.provisioner ];
# };
# });
# inputs.wrappers.lib.wrapModule ({ config, lib, ... }: {
# options = {
# provisioner = lib.mkOption {
# type = lib.types.str;
# default = "admin";
# };
# };
# config = {
# package = config.pkgs.cowsay;
# args = [ config.provisioner ];
# };
# });
}