depot/ops/nixos/lib/ssh-ca-vault.nix

32 lines
973 B
Nix
Raw Normal View History

2022-03-11 21:48:06 +00:00
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ config, lib, pkgs, ... }:
2022-03-11 21:48:06 +00:00
let
inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;
in {
config = {
services.openssh.extraConfig = ''
HostCertificate /var/lib/secretsmgr/ssh/ssh_host_ed25519_key-cert.pub
HostCertificate /var/lib/secretsmgr/ssh/ssh_host_rsa_key-cert.pub
2022-03-11 21:48:06 +00:00
TrustedUserCAKeys ${../../secrets/client-ca.pub}
AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u
AuthorizedPrincipalsCommandUser sshd
2022-03-11 21:48:06 +00:00
AuthorizedPrincipalsFile %h/.ssh/authorized_principals
AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
'';
environment.etc."ssh/authorized_principals_cmd" = {
mode = "0555";
text = ''
#!${pkgs.stdenv.shell}
echo "$1"
'';
};
2022-03-11 21:48:06 +00:00
environment.etc."ssh/authorized_principals.d/root".text = ''
lukegb
'';
};
}