2022-03-11 21:48:06 +00:00
|
|
|
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
|
|
|
#
|
|
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
2022-03-11 22:31:57 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
2022-03-11 21:48:06 +00:00
|
|
|
let
|
|
|
|
|
inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;
|
|
|
|
|
in {
|
|
|
|
|
config = {
|
2022-03-17 23:31:55 +00:00
|
|
|
services.openssh.extraConfig = ''
|
|
|
|
|
HostCertificate /var/lib/secretsmgr/ssh/ssh_host_ed25519_key-cert.pub
|
|
|
|
|
HostCertificate /var/lib/secretsmgr/ssh/ssh_host_rsa_key-cert.pub
|
2022-03-11 21:48:06 +00:00
|
|
|
TrustedUserCAKeys ${../../secrets/client-ca.pub}
|
2022-03-11 22:31:57 +00:00
|
|
|
AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u
|
|
|
|
|
AuthorizedPrincipalsCommandUser sshd
|
2022-03-11 21:48:06 +00:00
|
|
|
AuthorizedPrincipalsFile %h/.ssh/authorized_principals
|
|
|
|
|
AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
|
|
|
|
|
'';
|
2022-03-11 22:31:57 +00:00
|
|
|
environment.etc."ssh/authorized_principals_cmd" = {
|
|
|
|
|
mode = "0555";
|
|
|
|
|
text = ''
|
|
|
|
|
#!${pkgs.stdenv.shell}
|
|
|
|
|
echo "$1"
|
|
|
|
|
'';
|
|
|
|
|
};
|
2022-03-11 21:48:06 +00:00
|
|
|
|
|
|
|
|
environment.etc."ssh/authorized_principals.d/root".text = ''
|
|
|
|
|
lukegb
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
}
|
