From ac0c6eccefaf431e1135312566db0374ecee82dc Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 11 Mar 2022 21:48:06 +0000 Subject: [PATCH] ssh-ca-vault: init --- ops/nixos/lib/common.nix | 1 + ops/nixos/lib/ssh-ca-vault.nix | 41 ++++++++++++++++++++++++++++++++++ ops/nixos/lib/vault-agent.nix | 5 ++++- ops/secrets/client-ca.pub | 1 + ops/secrets/server-ca.pub | 1 + 5 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 ops/nixos/lib/ssh-ca-vault.nix create mode 100644 ops/secrets/client-ca.pub create mode 100644 ops/secrets/server-ca.pub diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix index 606e2b17d2..c0ee81197e 100644 --- a/ops/nixos/lib/common.nix +++ b/ops/nixos/lib/common.nix @@ -20,6 +20,7 @@ in ./vault-agent.nix ./vault-agent-acme.nix ./vault-agent-secrets.nix + ./ssh-ca-vault.nix ]; options.my.specialisationName = lib.mkOption { diff --git a/ops/nixos/lib/ssh-ca-vault.nix b/ops/nixos/lib/ssh-ca-vault.nix new file mode 100644 index 0000000000..f14638e3c6 --- /dev/null +++ b/ops/nixos/lib/ssh-ca-vault.nix @@ -0,0 +1,41 @@ +# SPDX-FileCopyrightText: 2020 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ config, lib, ... }: +let + inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings; + + keyTypes = [ "ed25519" "rsa" ]; + hostKeyForKeyType = keyType: "/etc/ssh/ssh_host_${keyType}_key.pub"; + secretNameForKeyType = keyType: "openssh-cert-${keyType}"; + + signedPaths = map (keyType: config.my.vault.secrets.${secretNameForKeyType keyType}.path) keyTypes; +in { + config = { + my.vault.secrets = let + hostname = config.networking.hostName; + fromKey = keyType: { + template = '' + {{ with file "${hostKeyForKeyType keyType}" | printf "public_key=%s" | secret "ssh-host/sign/${hostname}" "cert_type=host" "valid_principals=${hostname}.as205479.net,${hostname}.int.as205479.net" }} + {{ .Data.signed_key }} + {{ end }} + ''; + group = "root"; + reloadOrRestartUnits = [ "sshd.service" ]; + }; + in listToAttrs (map (keyType: nameValuePair (secretNameForKeyType keyType) (fromKey keyType)) keyTypes); + + systemd.services.vault-agent.serviceConfig.ReadOnlyPaths = mkAfter (map hostKeyForKeyType keyTypes); + + services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + '' + TrustedUserCAKeys ${../../secrets/client-ca.pub} + AuthorizedPrincipalsFile %h/.ssh/authorized_principals + AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u + ''; + + environment.etc."ssh/authorized_principals.d/root".text = '' + lukegb + ''; + }; +} diff --git a/ops/nixos/lib/vault-agent.nix b/ops/nixos/lib/vault-agent.nix index 354ad30c51..87aef09d1f 100644 --- a/ops/nixos/lib/vault-agent.nix +++ b/ops/nixos/lib/vault-agent.nix @@ -39,7 +39,10 @@ in my.vault.enable = mkDefault true; my.vault.settings = { pid_file = mkDefault "/run/vault-agent/pid"; - vault.address = mkDefault "https://vault.int.lukegb.com"; + vault = { + address = mkDefault "https://vault.int.lukegb.com"; + retry.num_retries = mkDefault 1; + }; auto_auth.method = mkDefault [{ type = "approle"; config = { diff --git a/ops/secrets/client-ca.pub b/ops/secrets/client-ca.pub new file mode 100644 index 0000000000..797f78f428 --- /dev/null +++ b/ops/secrets/client-ca.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqNOwlR7Qa8cbGpDfSCOweDPbAGQOZIcoRgh6s/J8DR vault-clients diff --git a/ops/secrets/server-ca.pub b/ops/secrets/server-ca.pub new file mode 100644 index 0000000000..91a29d8137 --- /dev/null +++ b/ops/secrets/server-ca.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpQayDIvvBUCc1roNzDwT04tG7JuXQg1QlvvNyb/CHT vault-server