ssh-ca-vault: init

2022-03-11 21:48:06 +00:00 · 2022-03-11 21:48:06 +00:00 · ac0c6eccef
commit ac0c6eccef
parent 86a6191a56
5 changed files with 48 additions and 1 deletions
--- a/ops/nixos/lib/common.nix
+++ b/ops/nixos/lib/common.nix
@ -20,6 +20,7 @@ in
    ./vault-agent.nix
    ./vault-agent-acme.nix
    ./vault-agent-secrets.nix
+    ./ssh-ca-vault.nix
  ];

  options.my.specialisationName = lib.mkOption {
--- a/ops/nixos/lib/ssh-ca-vault.nix
+++ b/ops/nixos/lib/ssh-ca-vault.nix
@ -0,0 +1,41 @@
+# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{ config, lib, ... }:
+let
+  inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;
+
+  keyTypes = [ "ed25519" "rsa" ];
+  hostKeyForKeyType = keyType: "/etc/ssh/ssh_host_${keyType}_key.pub";
+  secretNameForKeyType = keyType: "openssh-cert-${keyType}";
+
+  signedPaths = map (keyType: config.my.vault.secrets.${secretNameForKeyType keyType}.path) keyTypes;
+in {
+  config = {
+    my.vault.secrets = let
+      hostname = config.networking.hostName;
+      fromKey = keyType: {
+        template = ''
+          {{ with file "${hostKeyForKeyType keyType}" | printf "public_key=%s" | secret "ssh-host/sign/${hostname}" "cert_type=host" "valid_principals=${hostname}.as205479.net,${hostname}.int.as205479.net" }}
+          {{ .Data.signed_key }}
+          {{ end }}
+        '';
+        group = "root";
+        reloadOrRestartUnits = [ "sshd.service" ];
+      };
+    in listToAttrs (map (keyType: nameValuePair (secretNameForKeyType keyType) (fromKey keyType)) keyTypes);
+
+    systemd.services.vault-agent.serviceConfig.ReadOnlyPaths = mkAfter (map hostKeyForKeyType keyTypes);
+
+    services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + ''
+      TrustedUserCAKeys ${../../secrets/client-ca.pub}
+      AuthorizedPrincipalsFile %h/.ssh/authorized_principals
+      AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
+    '';
+
+    environment.etc."ssh/authorized_principals.d/root".text = ''
+      lukegb
+    '';
+  };
+}
--- a/ops/nixos/lib/vault-agent.nix
+++ b/ops/nixos/lib/vault-agent.nix
@ -39,7 +39,10 @@ in
    my.vault.enable = mkDefault true;
    my.vault.settings = {
      pid_file = mkDefault "/run/vault-agent/pid";
-      vault.address = mkDefault "https://vault.int.lukegb.com";
+      vault = {
+        address = mkDefault "https://vault.int.lukegb.com";
+        retry.num_retries = mkDefault 1;
+      };
      auto_auth.method = mkDefault [{
        type = "approle";
        config = {
--- a/ops/secrets/client-ca.pub
+++ b/ops/secrets/client-ca.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqNOwlR7Qa8cbGpDfSCOweDPbAGQOZIcoRgh6s/J8DR vault-clients
--- a/ops/secrets/server-ca.pub
+++ b/ops/secrets/server-ca.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpQayDIvvBUCc1roNzDwT04tG7JuXQg1QlvvNyb/CHT vault-server
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqNOwlR7Qa8cbGpDfSCOweDPbAGQOZIcoRgh6s/J8DR vault-clients`
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpQayDIvvBUCc1roNzDwT04tG7JuXQg1QlvvNyb/CHT vault-server`