134 lines
4.2 KiB
Nix
134 lines
4.2 KiB
Nix
{ inputs, ... }:
|
|
let
|
|
caURL = "https://janus.john-stream.com/";
|
|
stepFingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
|
|
in
|
|
{
|
|
#
|
|
# NixOS Module
|
|
#
|
|
flake.modules.nixos.step-ssh-host = { config, pkgs, lib, ... }:
|
|
let
|
|
cfg = config.step-ssh-host;
|
|
stepBin = lib.getExe pkgs.step-cli;
|
|
rootCertPath = "/etc/step/certs/root_ca.crt";
|
|
provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
|
|
sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
|
|
sshCertPath = "${sshKeyPath}-cert.pub";
|
|
in
|
|
{
|
|
# NixOS Options
|
|
options.step-ssh-host = {
|
|
hostname = lib.mkOption {
|
|
type = lib.types.str;
|
|
};
|
|
caURL = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "${caURL}";
|
|
};
|
|
rootCertFile = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = "Public Step root CA certificate file from the repo.";
|
|
default = ../../keys/root_ca.crt;
|
|
};
|
|
sshHostProvisioner = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "admin";
|
|
};
|
|
};
|
|
|
|
imports = with inputs.self.modules.nixos; [ ssh ];
|
|
# NixOS Config
|
|
config = {
|
|
ssh.certificates.enable = true;
|
|
sops.secrets."janus/admin_jwk" = {
|
|
owner = "root";
|
|
group = "root";
|
|
mode = "0400";
|
|
};
|
|
networking.nameservers = [ "192.168.1.150" ];
|
|
networking.dhcpcd.extraConfig = "nohook resolv.conf";
|
|
|
|
environment.etc."step/certs/root_ca.crt".source = cfg.rootCertFile;
|
|
environment.systemPackages = with pkgs; [
|
|
step-cli
|
|
(writeShellScriptBin "ssh-host-cert-renew" ''
|
|
${lib.getExe pkgs.step-cli} ssh certificate \
|
|
--host --sign \
|
|
--root "${rootCertPath}" \
|
|
--ca-url ${cfg.caURL} \
|
|
--provisioner "${cfg.sshHostProvisioner}" \
|
|
--provisioner-password-file "${provisionerPasswordPath}" \
|
|
--principal "${cfg.hostname}" \
|
|
--principal "${cfg.hostname}.john-stream.com" \
|
|
"${cfg.hostname}" "${sshKeyPath}.pub"
|
|
'')
|
|
(writeShellScriptBin "ssh-host-cert-check" "${lib.getExe' pkgs.openssh "ssh-keygen"} -Lf ${sshCertPath}")
|
|
];
|
|
};
|
|
};
|
|
|
|
#
|
|
# Home Manager Module
|
|
#
|
|
flake.modules.homeManager.step-ssh-user = { config, pkgs, lib, ... }:
|
|
let
|
|
cfg = config.step-ssh-user;
|
|
firstPrincipal = lib.head cfg.principals;
|
|
principalArgs = lib.concatMapStringsSep " "
|
|
(principal: "--principal \"${principal}\"") cfg.principals;
|
|
in
|
|
{
|
|
options.step-ssh-user = {
|
|
enable = lib.mkEnableOption "opionated step client config for SSH certs";
|
|
caURL = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "${caURL}";
|
|
};
|
|
fingerprint = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "${stepFingerprint}";
|
|
};
|
|
rootCertFile = {
|
|
path = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "String path to where the root_ca.crt file will be stored for the user";
|
|
default = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
|
|
};
|
|
source = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = "Nix path to the root cert file within the repo";
|
|
default = ../../keys/root_ca.crt;
|
|
};
|
|
};
|
|
provisioner = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "admin";
|
|
};
|
|
principals = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
# default = [ ];
|
|
};
|
|
};
|
|
config = lib.mkIf cfg.enable {
|
|
home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile.source;
|
|
home.file.".step/config/defaults.json".text = builtins.toJSON {
|
|
"ca-url" = cfg.caURL;
|
|
fingerprint = cfg.fingerprint;
|
|
root = "${cfg.rootCertFile.path}";
|
|
};
|
|
sops.secrets."janus/admin_jwk".mode = "0400";
|
|
home.packages = with pkgs; [
|
|
(writeShellScriptBin "sign-ssh-cert" ''
|
|
${lib.getExe pkgs.step-cli} ssh certificate \
|
|
--sign \
|
|
${principalArgs} \
|
|
--provisioner "${cfg.provisioner}" \
|
|
--provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \
|
|
"${firstPrincipal}" "${config.ssh.IdentityFile}.pub"
|
|
'')
|
|
];
|
|
};
|
|
};
|
|
}
|