john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sign ssh cert working

Browse Source
This commit is contained in:
John Lancaster
2026-03-15 14:58:23 -05:00
parent e1b093929c
commit ec501e3029
2 changed files with 21 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
modules/programs/step-client.nix
View File

@@ -106,6 +106,10 @@ in
default = ../../keys/root_ca.crt; default = ../../keys/root_ca.crt;
}; };
}; };
sshHostProvisioner = lib.mkOption {
type = lib.types.str;
default = "admin";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile; home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile;

24
modules/services/ssh.nix
View File

@@ -51,6 +51,10 @@ in
flake.modules.homeManager.ssh = { pkgs, config, lib, ... }: flake.modules.homeManager.ssh = { pkgs, config, lib, ... }:
{ {
imports = with inputs.self.modules.homeManager; [
step-client
];
options.ssh = { options.ssh = {
IdentityFile = lib.mkOption { IdentityFile = lib.mkOption {
# Intentionally not using a path type here because that will end up with the private key getting copied into the store # Intentionally not using a path type here because that will end up with the private key getting copied into the store
@@ -78,16 +82,22 @@ in
publicKeyFile = "${identityFile}.pub"; publicKeyFile = "${identityFile}.pub";
certificateFile = "${identityFile}-cert.pub"; certificateFile = "${identityFile}-cert.pub";
userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts"; userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts";
provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
sshHostProvisioner = config.step-client.sshHostProvisioner;
in { in {
home.packages = [ sops.secrets."janus/admin_jwk" = {
mode = "0400";
};
home.packages = lib.optionals cfg.certificates.enable [
(pkgs.writeShellScriptBin "sign-ssh-cert" '' (pkgs.writeShellScriptBin "sign-ssh-cert" ''
echo "Signing ${publicKeyFile}" ${lib.getExe pkgs.step-cli} ssh certificate \
echo "Copy the Step-CA JWK Provisioner password from 1password" --sign \
step ssh certificate --sign \
--principal root \
--principal ${userName} \ --principal ${userName} \
--principal root \
--principal appdaemon \ --principal appdaemon \
--provisioner admin \ --provisioner "${sshHostProvisioner}" \
--provisioner-password-file "${provisionerPasswordPath}" \
${userName} ${publicKeyFile} ${userName} ${publicKeyFile}
'') '')
]; ];
@@ -121,7 +131,7 @@ in
inherit identityFile certificateFile; inherit identityFile certificateFile;
hashKnownHosts = false; hashKnownHosts = false;
userKnownHostsFile = "${userKnownHostsFile}"; userKnownHostsFile = userKnownHostsFile;
addKeysToAgent = "yes"; addKeysToAgent = "yes";
forwardAgent = false; forwardAgent = false;