{ inputs, ... }: let caURL = "https://janus.john-stream.com/"; stepFingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; in { # # NixOS Module # flake.modules.nixos.step-ssh-host = { config, pkgs, lib, ... }: let cfg = config.step-ssh-host; stepBin = lib.getExe pkgs.step-cli; rootCertPath = "/etc/step/certs/root_ca.crt"; provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path; sshKeyPath = "/etc/ssh/ssh_host_ed25519_key"; sshCertPath = "${sshKeyPath}-cert.pub"; in { # NixOS Options options.step-ssh-host = { hostname = lib.mkOption { type = lib.types.str; }; caURL = lib.mkOption { type = lib.types.str; default = "${caURL}"; }; rootCertFile = lib.mkOption { type = lib.types.path; description = "Public Step root CA certificate file from the repo."; default = ../../keys/root_ca.crt; }; sshHostProvisioner = lib.mkOption { type = lib.types.str; default = "admin"; }; }; imports = with inputs.self.modules.nixos; [ ssh ]; # NixOS Config config = { ssh.certificates.enable = true; sops.secrets."janus/admin_jwk" = { owner = "root"; group = "root"; mode = "0400"; }; networking.nameservers = [ "192.168.1.150" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; environment.etc."step/certs/root_ca.crt".source = cfg.rootCertFile; environment.systemPackages = with pkgs; [ step-cli (writeShellScriptBin "ssh-host-cert-renew" '' ${lib.getExe pkgs.step-cli} ssh certificate \ --host --sign \ --root "${rootCertPath}" \ --ca-url ${cfg.caURL} \ --provisioner "${cfg.sshHostProvisioner}" \ --provisioner-password-file "${provisionerPasswordPath}" \ --principal "${cfg.hostname}" \ --principal "${cfg.hostname}.john-stream.com" \ "${cfg.hostname}" "${sshKeyPath}.pub" '') (writeShellScriptBin "ssh-host-cert-check" "${lib.getExe' pkgs.openssh "ssh-keygen"} -Lf ${sshCertPath}") ]; }; }; # # Home Manager Module # flake.modules.homeManager.step-ssh-user = { config, pkgs, lib, ... }: let cfg = config.step-ssh-user; firstPrincipal = lib.head cfg.principals; principalArgs = lib.concatMapStringsSep " " (principal: "--principal \"${principal}\"") cfg.principals; in { options.step-ssh-user = { enable = lib.mkEnableOption "opionated step client config for SSH certs"; caURL = lib.mkOption { type = lib.types.str; default = "${caURL}"; }; fingerprint = lib.mkOption { type = lib.types.str; default = "${stepFingerprint}"; }; rootCertFile = { path = lib.mkOption { type = lib.types.str; description = "String path to where the root_ca.crt file will be stored for the user"; default = "${config.home.homeDirectory}/.step/certs/root_ca.crt"; }; source = lib.mkOption { type = lib.types.path; description = "Nix path to the root cert file within the repo"; default = ../../keys/root_ca.crt; }; }; provisioner = lib.mkOption { type = lib.types.str; default = "admin"; }; principals = lib.mkOption { type = lib.types.listOf lib.types.str; # default = [ ]; }; }; config = lib.mkIf cfg.enable { home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile.source; home.file.".step/config/defaults.json".text = builtins.toJSON { "ca-url" = cfg.caURL; fingerprint = cfg.fingerprint; root = "${cfg.rootCertFile.path}"; }; sops.secrets."janus/admin_jwk".mode = "0400"; home.packages = with pkgs; [ (writeShellScriptBin "sign-ssh-cert" '' ${lib.getExe pkgs.step-cli} ssh certificate \ --sign \ ${principalArgs} \ --provisioner "${cfg.provisioner}" \ --provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \ "${firstPrincipal}" "${config.ssh.IdentityFile}.pub" '') ]; }; }; }