74 lines
2.0 KiB
Nix
74 lines
2.0 KiB
Nix
{inputs, ... }:
|
|
let
|
|
userName = "john";
|
|
in
|
|
{
|
|
flake.homeModules.ssh = { pkgs, config, lib, ... }:
|
|
{
|
|
options = {
|
|
sshIdentityFile = lib.mkOption {
|
|
# Intentionally not using a path type here because that will end up with the private key getting copied into the store
|
|
type = lib.types.str;
|
|
default = "${config.home.homeDirectory}/.ssh/id_ed25519";
|
|
description = "Path to the SSH identity file.";
|
|
};
|
|
};
|
|
|
|
# All this stuff has to be wrapped in a config attribute because of the presence of the options here?
|
|
config = let
|
|
identityFile = config.sshIdentityFile;
|
|
publicKeyFile = "${identityFile}.pub";
|
|
certificateFile = "${identityFile}-cert.pub";
|
|
userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts";
|
|
in {
|
|
home.packages = [
|
|
(pkgs.writeShellScriptBin "sign-ssh-cert" ''
|
|
echo "Signing ${publicKeyFile}"
|
|
echo "Copy the Step-CA JWK Provisioner password from 1password"
|
|
step ssh certificate --sign \
|
|
--principal root --principal ${userName} \
|
|
--provisioner admin \
|
|
${userName} ${publicKeyFile}
|
|
'')
|
|
];
|
|
|
|
programs.ssh = {
|
|
enable = true;
|
|
enableDefaultConfig = false;
|
|
extraConfig = ''
|
|
SetEnv TERM="xterm-256color"
|
|
IdentityAgent ~/.1password/agent.sock
|
|
'';
|
|
|
|
matchBlocks = {
|
|
"*" = {
|
|
user = "john";
|
|
|
|
compression = false;
|
|
serverAliveInterval = 0;
|
|
serverAliveCountMax = 3;
|
|
|
|
identitiesOnly = true;
|
|
inherit identityFile certificateFile;
|
|
|
|
hashKnownHosts = false;
|
|
userKnownHostsFile = "${userKnownHostsFile}";
|
|
|
|
addKeysToAgent = "yes";
|
|
forwardAgent = false;
|
|
};
|
|
|
|
"janus" = {
|
|
hostname = "janus.john-stream.com";
|
|
user = "root";
|
|
};
|
|
"soteria" = {
|
|
hostname = "soteria.john-stream.com";
|
|
user = "john";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|