ssh options

2026-03-29 17:38:45 -05:00 · 2026-03-29 16:53:54 -05:00
6 changed files with 67 additions and 66 deletions
@@ -61,6 +61,9 @@ in
    };
    ssh = {
      certificates.enable = true;
+      knownHosts = [
+        "fded:fb16:653e:25da:be24:11ff:fea0:753f ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9ZqiWPrCwHjxFCiu0lT4rlQs7KyMapxKJQQ5PJP1eh"
+      ];
      matchSets = {
        certs = true;
        appdaemon = true;
@@ -1,16 +1,10 @@
 { self, inputs, ... }: {
-  flake.modules.homeManager.onepassword = { config, pkgs, lib, ... }: {
+  flake.modules.homeManager.onepassword = { config, ... }: {
    home.file.".config/1Password/ssh/agent.toml".text = ''
      # https://developer.1password.com/docs/ssh/agent/config
      [[ssh-keys]]
      vault = "Private"
    '';
-    programs.ssh = {
-      enable = true;
-      extraConfig = ''
-        Host *
-            IdentityAgent ${config.home.homeDirectory}/.1password/agent.sock
-      '';
-    };
+    programs.ssh.matchBlocks."*".identityAgent = "${config.home.homeDirectory}/.1password/agent.sock";
  };
 }
@@ -64,8 +64,8 @@ in
        (writeShellScriptBin "gen-age-key" ''
          set -eu

-          if [ ! -f "${config.ssh.IdentityFile}" ]; then
-            ${echo} "SSH identity file not found: ${config.ssh.IdentityFile}" >&2
+          if [ ! -f "${config.ssh.identityFile}" ]; then
+            ${echo} "SSH identity file not found: ${config.ssh.identityFile}" >&2
            exit 1
          fi

@@ -75,7 +75,7 @@ in
          fi

          ${mkdir} -p "$(${dirname} "${cfg.ageKeyFile}")"
-          ${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.IdentityFile} -private-key > ${cfg.ageKeyFile}
+          ${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.identityFile} -private-key > ${cfg.ageKeyFile}
          ${echo} -n "Created ${cfg.ageKeyFile}: "
          ${echo} $(${lib.getExe show-age-key})
        '')
@@ -90,7 +90,7 @@ in
      sops = {
        defaultSopsFile = sopsSecretsPath;
        defaultSopsFormat = "yaml";
-        age.sshKeyPaths = [ "${config.ssh.IdentityFile}" ];
+        age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
      };
    };
  };
@@ -29,7 +29,7 @@
          ${principalArgs} \
          --provisioner "${cfg.provisioner}" \
          --provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \
-          "${firstPrincipal}" "${config.ssh.IdentityFile}.pub"
+          "${firstPrincipal}" "${config.ssh.identityFile}.pub"
        '')
      ];
    };
@@ -1,40 +1,38 @@
-{inputs, ... }:
+{ inputs, ... }:
 let
  userName = "john";
  sshHostCAPubKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
 in
 {
-  flake.modules.nixos.ssh = { pkgs, config, lib, ... }:
+  flake.modules.nixos.ssh = { config, pkgs, lib, ... }:
  let
    cfg = config.ssh;
-    userCAPath = "ssh/ssh_user_ca.pub";
+    configDir = "/etc/ssh";
  in
  {
    options.ssh = {
-      configDir = lib.mkOption {
-        description = "String path to the host SSH config directory";
-        type = lib.types.str;
-        default = "/etc/ssh";
-      };
      hostKey = lib.mkOption {
        description = "String path to the host private key file";
        type = lib.types.str;
-        default = "${cfg.configDir}/ssh_host_ed25519_key";
+        default = "ssh_host_ed25519_key";
      };
      certificates = {
        enable = lib.mkEnableOption "Enable SSH host certificates";
        userCA = lib.mkOption {
+          description = "Content for the SSH user CA file (public key)";
          type = lib.types.path;
-          default = ../../keys/ssh_user_ca.pub;
+          default = ../hosts/janus/ssh_user_ca.pub;
        };
-        userCAPath = lib.mkOption {
+        userCAFile = lib.mkOption {
+          description = "String path to the SSh user CA";
          type = lib.types.str;
-          default = "${cfg.configDir}/ssh_user_ca.pub";
+          default = "ssh_user_ca.pub";
        };
      };
    };

    config = {
+      cfg.certificates = lib.mkDefault true;
      services.openssh = {
        enable = true;
        # require public key authentication for better security
@@ -42,16 +40,16 @@ in
          {
            PasswordAuthentication = false;
            KbdInteractiveAuthentication = false;
-            HostKey = cfg.hostKey;
+            HostKey = "${configDir}/${cfg.hostKey}";
          }
          (lib.mkIf cfg.certificates.enable {
-            TrustedUserCAKeys = cfg.certificates.userCAPath;
-            HostCertificate = "${cfg.hostKey}-cert.pub";
+            TrustedUserCAKeys = "${configDir}/${cfg.certificates.userCAFile}";
+            HostCertificate = "${configDir}/${cfg.hostKey}-cert.pub";
          })
        ];
      };

-      environment.etc."${userCAPath}" = lib.mkIf cfg.certificates.enable {
+      environment.etc."ssh/${cfg.certificates.userCAFile}" = lib.mkIf cfg.certificates.enable {
        source = cfg.certificates.userCA;
      };

@@ -68,52 +66,56 @@ in
    };
  };

-  flake.modules.homeManager.ssh = { pkgs, config, lib, ... }:
+  flake.modules.homeManager.ssh = { config, pkgs, lib, ... }:
+  let
+    cfg = config.ssh;
+    configDir = "${config.home.homeDirectory}/.ssh";
+    identityFile = cfg.identityFile;
+    publicKeyFile = "${identityFile}.pub";
+    certificateFile = "${identityFile}-cert.pub";
+  in
  {
-    options.ssh = {
-      IdentityFile = lib.mkOption {
+    options.ssh = with lib; {
+      identityFile = mkOption {
        # Intentionally not using a path type here because that will end up with the private key getting copied into the store
-        type = lib.types.str;
+        type = types.str;
        default = "${config.home.homeDirectory}/.ssh/id_ed25519";
        description = "Path to the SSH identity file.";
      };

      certificates = {
-        enable = lib.mkEnableOption "Enable SSH user certificates";
-        # sshCertProvisioner = lib.mkOption {
-        #   type = lib.types.str;
-        #   default = "admin";
-        # };
+        enable = mkEnableOption "Enable SSH client certificates";
      };

-      knownHostsFile = lib.mkOption {
-        type = lib.types.str;
-        default = "${config.home.homeDirectory}/.ssh/known_hosts";
+      knownHostsFile = mkOption {
+        type = types.str;
+        default = "${configDir}/known_hosts";
+      };
+
+      knownHosts = mkOption {
+        description = "";
+        type = types.listOf types.str;
+        default = [ ];
      };

      matchSets = {
-        appdaemon = lib.mkEnableOption "Enable AppDaemon SSH targets";
-        certs = lib.mkEnableOption "Enable Janus and Soteria SSH targets";
-        homelab = lib.mkEnableOption "Enable various Homelab targets";
-        dev = lib.mkEnableOption "Enable development targets";
+        appdaemon = mkEnableOption "Enable AppDaemon SSH targets";
+        certs = mkEnableOption "Enable Janus and Soteria SSH targets";
+        homelab = mkEnableOption "Enable various Homelab targets";
+        dev = mkEnableOption "Enable development targets";
      };
    };

    # All this stuff has to be wrapped in a config attribute because of the presence of the options here?
    config = let
-      cfg = config.ssh;
-      identityFile = cfg.IdentityFile;
-      publicKeyFile = "${identityFile}.pub";
-      certificateFile = "${identityFile}-cert.pub";
      provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
    in {
      home.file.".ssh/known_hosts" = {
        text = lib.concatStringsSep "\n" (
-          [
-            "fded:fb16:653e:25da:be24:11ff:fea0:753f ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9ZqiWPrCwHjxFCiu0lT4rlQs7KyMapxKJQQ5PJP1eh"
+          cfg.knownHosts ++ lib.optionals cfg.certificates.enable [
+            "@cert-authority 192.168.1.* ${sshHostCAPubKey}"
+            "@cert-authority *.john-stream.com ${sshHostCAPubKey}"
          ]
-          ++ (lib.optional cfg.certificates.enable "@cert-authority 192.168.1.* ${sshHostCAPubKey}")
-          ++ (lib.optional cfg.certificates.enable "@cert-authority *.john-stream.com ${sshHostCAPubKey}")
        );
      };

@@ -122,27 +124,29 @@ in
        enableDefaultConfig = false;
        extraConfig = ''
          SetEnv TERM="xterm-256color"
-          IdentityAgent ~/.1password/agent.sock
        '';

        matchBlocks = lib.mkMerge [
          {
-            "*" = {
-              user = "john";
+            "*" = lib.mkMerge [
+              {
+                user = "john";

-              compression = false;
-              serverAliveInterval = 0;
-              serverAliveCountMax = 3;
+                compression = false;
+                serverAliveInterval = 0;
+                serverAliveCountMax = 3;

-              identitiesOnly = true;
-              inherit identityFile certificateFile;
+                identitiesOnly = true;
+                inherit identityFile;

-              hashKnownHosts = false;
-              userKnownHostsFile = cfg.knownHostsFile;
+                hashKnownHosts = false;
+                userKnownHostsFile = cfg.knownHostsFile;

-              addKeysToAgent = "yes";
-              forwardAgent = false;
-            };
+                addKeysToAgent = "yes";
+                forwardAgent = false;
+              }
+              (lib.mkIf cfg.certificates.enable { inherit certificateFile; })
+            ];
          }
          (lib.mkIf cfg.matchSets.appdaemon {
            "appdaemon" = {
Author	SHA1	Message	Date
John Lancaster	04bbf00c3d	ssh options	2026-03-29 17:38:45 -05:00
John Lancaster	e0abbd6b90	ssh options	2026-03-29 16:53:54 -05:00