john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4af0cf7ca756ff7edb21ba2378c99072643279bf
dendritic/modules/services/step-ca/ssh-host.nix
John Lancaster 9466238db9 moved specifics
2026-03-15 20:19:41 -05:00

116 lines
3.7 KiB
Nix
Raw Blame History

{ inputs, ... }: {
flake.modules.nixos.step-ssh-host = { config, pkgs, lib, ... }:
let
cfg = config.step-ssh-host;
rootCertPath = "/etc/step/certs/root_ca.crt";
provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
sshCertPath = "${sshKeyPath}-cert.pub";
in
{
# NixOS Options
options.step-ssh-host = {
hostname = lib.mkOption {
description = "Networking host name";
type = lib.types.str;
};
caURL = lib.mkOption {
description = "URL for the certificate authority";
type = lib.types.str;
};
rootCertFile = {
path = lib.mkOption {
description = "String path to where the root_ca.crt file will be stored for the user";
type = lib.types.str;
default = "step/certs/root_ca.crt";
};
source = lib.mkOption {
description = "Nix path to the root cert file within the repo";
type = lib.types.path;
default = ../../../keys/root_ca.crt;
};
};
provisioner = lib.mkOption {
description = "Provisioner inside Step CA to use for the SSH certificates";
type = lib.types.str;
default = "admin";
};
};
imports = with inputs.self.modules.nixos; [ ssh ];
# NixOS Config
config = {
ssh.certificates.enable = true;
sops.secrets."janus/admin_jwk" = {
owner = "root";
group = "root";
mode = "0400";
};
networking.nameservers = [ "192.168.1.150" ];
networking.dhcpcd.extraConfig = "nohook resolv.conf";
environment.etc."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source;
environment.systemPackages = with pkgs; [
step-cli
(writeShellScriptBin "ssh-host-cert-renew" ''
${lib.getExe pkgs.step-cli} ssh certificate \
--host --sign \
--root "${rootCertPath}" \
--ca-url ${cfg.caURL} \
--provisioner "${cfg.provisioner}" \
--provisioner-password-file "${provisionerPasswordPath}" \
--principal "${cfg.hostname}" \
--principal "${cfg.hostname}.john-stream.com" \
"${cfg.hostname}" "${sshKeyPath}.pub"
'')
(writeShellScriptBin "ssh-host-cert-check" "${lib.getExe' pkgs.openssh "ssh-keygen"} -Lf ${sshCertPath}")
];
systemd.services.step-ssh-host-renew = {
description = "Renew Step SSH host certificate if needed";
wantedBy = [ ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = [ pkgs.step-cli pkgs.openssh pkgs.coreutils pkgs.systemd ];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
script = ''
set -euo pipefail
if ${lib.getExe pkgs.step-cli} ssh needs-renewal "${sshCertPath}" --expires-in "4h"; then
echo "Renewing SSH host certificate"
else
rc=$?
if [ "$rc" -eq 1 ]; then
echo "SSH host cert does not need renewal"
exit 0
fi
if [ "$rc" -eq 2 ]; then
echo "SSH host cert missing: ${sshCertPath}" >&2
exit 1
fi
echo "step ssh needs-renewal failed with rc=$rc" >&2
exit "$rc"
fi
'';
};
systemd.timers.step-ssh-host-renew = {
description = "Periodic Step SSH host certificate renewal";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "4h";
RandomizedDelaySec = "15m";
Persistent = true;
Unit = "step-ssh-host-renew.service";
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink