john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

better ssh certs wrappers

Browse Source
This commit is contained in:
John Lancaster
2026-04-20 21:13:19 -05:00
parent bd236ed977
commit e75951318d
4 changed files with 69 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/features/ssh-certs.nix
+28 -99
View File
@@ -2,8 +2,34 @@
let let
mkPrincipalArgs = principals: mkPrincipalArgs = principals:
builtins.concatLists (map (principal: [ "--principal" principal ]) principals); builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.ssh-certs = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "ssh-certs";
meta.mainProgram = "sign-ssh-user-cert";
paths = [
(inputs.self.wrappers.signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { (inputs.self.wrappers.signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
];
});
};
};
flake.wrappers.signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = { options = {
provisioner = lib.mkOption { provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
@@ -48,7 +74,7 @@ let
}; };
}); });
signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { flake.wrappers.signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = { options = {
provisioner = lib.mkOption { provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
@@ -71,101 +97,4 @@ let
++ mkPrincipalArgs config.validUsers; ++ mkPrincipalArgs config.validUsers;
}; };
}); });
combinedWrapper = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
user.enable = lib.myEnableOption "Enable SSH user certs";
};
config = {
package = (pkgs.symlinkJoin {
name = "ssh-certs";
meta.mainProgram = "sign-ssh-host-cert";
paths = [
(signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
]
++ lib.optional config.user.enable (signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper;
});
};
});
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.ssh-certs = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "ssh-certs";
meta.mainProgram = "sign-ssh-user-cert";
paths = [
(signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
(signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
];
});
};
};
flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: {
home.packages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.myPackage
];
};
# flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: {
# home.packages = [
# (inputs.self.wrappers.sshCerts.apply {
# inherit pkgs;
# provisioner = "test prov";
# }).wrapper
# ];
# };
# flake.wrappers.sshCerts = { wlib, lib }:
# wlib.wrapModule ({ config, wlib, ... }: {
# options = {
# provisioner = lib.mkOption {
# type = lib.types.str;
# default = "admin";
# };
# };
# config = {
# binName = "admin-cow";
# package = config.pkgs.cowsay;
# args = [ config.provisioner ];
# };
# });
# inputs.wrappers.lib.wrapModule ({ config, lib, ... }: {
# options = {
# provisioner = lib.mkOption {
# type = lib.types.str;
# default = "admin";
# };
# };
# config = {
# package = config.pkgs.cowsay;
# args = [ config.provisioner ];
# };
# });
} }
modules/features/step-client.nix
+33 -39
View File
@@ -1,6 +1,32 @@
{ self, inputs, ... }: { self, inputs, ... }: {
let flake.modules.homeManager.step-client = { config, pkgs, lib, ... }: {
bootstrapWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { home.file.".step/config/defaults.json".text = builtins.toJSON {
ca-url = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
root = ../hosts/janus/root_ca.crt;
};
home.packages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.step-bootstrap
];
# sops.secrets."step-ca-defaults" = {
# sopsFile = ../hosts/janus/defaults.json;
# format = "json";
# key = ""; # This causes it to decode the whole file
# path = "${config.home.homeDirectory}/defaults.json";
# mode = "0400";
# };
};
perSystem = { system, pkgs, lib, ... }: {
packages.step-bootstrap = (inputs.self.wrappers.stepBootstrap.apply {
inherit pkgs;
caURL = "https://janus.john-stream.com";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
install = true;
}).wrapper;
};
flake.wrappers.stepBootstrap = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = { options = {
caURL = lib.mkOption { caURL = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@@ -12,46 +38,14 @@ let
}; };
config = { config = {
binName = "bootstrap"; binName = "step-bootstrap";
package = config.pkgs.step-cli; # (1)! package = config.pkgs.step-cli;
args = [ args = [
"ca" "bootstrap" "ca" "bootstrap"
"--ca-url" config.caURL "--ca-url" config.caURL
"--fingerprint" config.fingerprint "--fingerprint" config.fingerprint
]; ]
++ lib.optional config.install "--install";
}; };
}); });
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.step-client = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "step";
meta.mainProgram = "step";
paths = with pkgs; [
self'.packages.step-bootstrap
(signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
(signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
];
});
};
packages.step-bootstrap = (bootstrapWrapper.apply {
inherit pkgs;
caURL = "https://janus.john-stream.com";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
install = true;
}).wrapper;
};
} }
modules/hosts/janus/default.nix
+5 -6
View File
@@ -2,8 +2,6 @@
let let
username = "john"; username = "john";
hostname = "janus"; hostname = "janus";
ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
in in
{ {
flake.modules.nixos.janus-ca = flake.modules.nixos.janus-ca =
@@ -39,7 +37,8 @@ in
config = { config = {
environment.etc = lib.mkIf cfgInEtc { environment.etc = lib.mkIf cfgInEtc {
"step-ca/defaults.json".text = builtins.toJSON { "step-ca/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint; ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
root = "/etc/${certRootEtcPath}"; root = "/etc/${certRootEtcPath}";
}; };
"${certRootEtcPath}".source = ./root_ca.crt; "${certRootEtcPath}".source = ./root_ca.crt;
@@ -52,10 +51,10 @@ in
flake.modules.homeManager.janus-ca = { config, ... }: { flake.modules.homeManager.janus-ca = { config, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON { home.file.".step/config/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint; ca-url = "https://janus.john-stream.com/";
root = "${config.home.homeDirectory}/.step/certs/root_ca.crt"; fingerprint = builtins.readFile ./fingerprint;
root = ./root_ca.crt;
}; };
home.file.".step/certs/root_ca.crt".source = ./root_ca.crt;
}; };
flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem { flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
modules/nix-tools/wrappers.nix
+3 -2
View File
@@ -1,5 +1,5 @@
{ self, inputs, ... }: { { self, inputs, ... }: {
flake-file.inputs = { config.flake-file.inputs = {
wrapper-modules = { wrapper-modules = {
url = "github:BirdeeHub/nix-wrapper-modules"; url = "github:BirdeeHub/nix-wrapper-modules";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@@ -11,8 +11,9 @@
}; };
options = { options = {
# This is what allows wrappers to be defined in flake.wrappers.<wrapper-name> throughout different flake-parts modules
flake = inputs.flake-parts.lib.mkSubmoduleOptions { flake = inputs.flake-parts.lib.mkSubmoduleOptions {
myWrappers = inputs.nixpkgs.lib.mkOption { wrappers = inputs.nixpkgs.lib.mkOption {
default = {}; default = {};
}; };
}; };