john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dac6b704456a42f643dc5b80c00b17d124d0e28d
dendritic/modules/features/step-client.nix
T
John Lancaster dac6b70445 sign-ssh-host-cert
2026-04-19 17:31:38 -05:00

96 lines
2.7 KiB
Nix
Raw Blame History

{ self, inputs, ... }:
let
bootstrapWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
caURL = lib.mkOption {
type = lib.types.str;
};
fingerprint = lib.mkOption {
type = lib.types.str;
};
install = lib.mkEnableOption "Install the cert to the system trust store";
};
config = {
binName = "bootstrap";
package = config.pkgs.step-cli; # (1)!
args = [
"ca" "bootstrap"
"--ca-url" config.caURL
"--fingerprint" config.fingerprint
];
};
});
mkPrincipalArgs = principals:
builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
extraPrincipals = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-host-cert";
package = config.pkgs.step-cli;
extraPackages = with config.pkgs; [ hostname iproute2 ];
preHook = ''
HOSTNAME=$(hostname -s)
IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
case "$addr" in
192.168.1.*/*)
printf '%s\n' "''${addr%%/*}"
break
;;
esac
done)
echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
'';
args =
[
"ssh" "certificate"
"--host" "--sign"
"--principal" "$HOSTNAME"
"--principal" "$IP_ADDRESS"
]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.extraPrincipals;
};
});
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.step-client = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "step";
meta.mainProgram = "step";
paths = with pkgs; [
self'.packages.step-bootstrap
(signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
];
});
};
packages.step-bootstrap = (bootstrapWrapper.apply {
inherit pkgs;
caURL = "https://janus.john-stream.com";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
install = true;
}).wrapper;
};
}
Reference in New Issue View Git Blame Copy Permalink