115 lines
3 KiB
Nix
115 lines
3 KiB
Nix
|
{ depot, lib, config, ... }:
|
||
|
|
||
|
let
|
||
|
inherit (lib) mkOption nameValuePair mapToAttrs types mkEnableOption mapAttrs' filterAttrs mkMerge mapAttrsToList concatStringsSep;
|
||
|
|
||
|
minutes = m: m * 60;
|
||
|
|
||
|
serversType = types.attrsOf (types.submodule ({ name, ... }: {
|
||
|
options = {
|
||
|
enable = mkOption {
|
||
|
type = types.bool;
|
||
|
default = true;
|
||
|
};
|
||
|
|
||
|
resourceName = mkOption {
|
||
|
type = types.str;
|
||
|
default = "server_${name}";
|
||
|
internal = true;
|
||
|
};
|
||
|
|
||
|
extraPolicies = mkOption {
|
||
|
type = with types; listOf str;
|
||
|
default = [];
|
||
|
};
|
||
|
|
||
|
apps = mkOption {
|
||
|
type = with types; listOf str;
|
||
|
default = [];
|
||
|
};
|
||
|
|
||
|
hostnames = mkOption {
|
||
|
type = with types; listOf str;
|
||
|
default = [
|
||
|
"${name}.as205479.net"
|
||
|
"${name}.blade.as205479.net"
|
||
|
"${name}.int.as205479.net"
|
||
|
];
|
||
|
};
|
||
|
|
||
|
policy = mkOption {
|
||
|
type = types.lines;
|
||
|
default = ''
|
||
|
path "ssh-host/sign/${name}" {
|
||
|
capabilities = ["update"]
|
||
|
allowed_parameters = {
|
||
|
"cert_type" = ["host"]
|
||
|
"public_key" = []
|
||
|
"valid_principals" = []
|
||
|
}
|
||
|
}
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
}));
|
||
|
|
||
|
cfg = config.my.enabledServers;
|
||
|
in {
|
||
|
options = {
|
||
|
my.servers = mkOption {
|
||
|
type = serversType;
|
||
|
};
|
||
|
|
||
|
my.enabledServers = mkOption {
|
||
|
internal = true;
|
||
|
readOnly = true;
|
||
|
default = filterAttrs (n: v: v.enable) config.my.servers;
|
||
|
type = serversType;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config.my.servers = mapToAttrs (name: nameValuePair name {}) (builtins.attrNames depot.ops.nixos.systemConfigs);
|
||
|
|
||
|
config.resource = mkMerge (mapAttrsToList (serverName: serverCfg: {
|
||
|
vault_policy.${serverCfg.resourceName} = {
|
||
|
name = "server/${serverName}";
|
||
|
inherit (serverCfg) policy;
|
||
|
};
|
||
|
|
||
|
vault_approle_auth_backend_role.${serverCfg.resourceName} = {
|
||
|
backend = "\${vault_auth_backend.approle.path}";
|
||
|
role_name = serverName;
|
||
|
role_id = serverName;
|
||
|
secret_id_num_uses = 0;
|
||
|
token_ttl = minutes 20;
|
||
|
token_max_ttl = minutes 30;
|
||
|
};
|
||
|
|
||
|
vault_identity_entity.${serverCfg.resourceName} = {
|
||
|
name = serverName;
|
||
|
policies =
|
||
|
["default" "server" "\${vault_policy.${serverCfg.resourceName}.name}"]
|
||
|
++ serverCfg.extraPolicies
|
||
|
++ (map (name: "\${vault_policy.app_${name}.name}") serverCfg.apps);
|
||
|
metadata.server = serverName;
|
||
|
};
|
||
|
|
||
|
vault_identity_entity_alias.${serverCfg.resourceName} = {
|
||
|
name = serverName;
|
||
|
mount_accessor = "\${vault_auth_backend.approle.accessor}";
|
||
|
canonical_id = "\${vault_identity_entity.${serverCfg.resourceName}.id}";
|
||
|
};
|
||
|
|
||
|
vault_ssh_secret_backend_role.${serverCfg.resourceName} = {
|
||
|
name = serverName;
|
||
|
backend = "\${vault_mount.ssh-host.path}";
|
||
|
key_type = "ca";
|
||
|
allow_host_certificates = true;
|
||
|
allow_bare_domains = true;
|
||
|
allowed_domains = concatStringsSep "," serverCfg.hostnames;
|
||
|
ttl = 7 * 24 * 60 * 60;
|
||
|
max_ttl = 7 * 24 * 60 * 60;
|
||
|
};
|
||
|
}) cfg);
|
||
|
}
|