From c9bd0696ed88cb3df62137eaeb50c7abffe8c32a Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 13 Mar 2022 00:24:57 +0000 Subject: [PATCH] heptapod: enable SSH CA --- nix/docker/heptapod/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nix/docker/heptapod/default.nix b/nix/docker/heptapod/default.nix index b53887b9df..654cf8707d 100644 --- a/nix/docker/heptapod/default.nix +++ b/nix/docker/heptapod/default.nix @@ -23,10 +23,22 @@ in pkgs.dockerTools.buildImage rec { diskSize = 8192; runAsRoot = '' #!{pkgs.runtimeShell} + cat <<"EOF" >/sshd_ca.pub + ${builtins.readFile ../../../ops/secrets/client-ca.pub} + EOF cat <<"EOF" >/assets/wrapper_wrapper #!/bin/bash /usr/bin/id hg || /usr/sbin/useradd -g $(id -u git) -u $(id -g git) -o -d /var/opt/gitlab -p "*" hg /usr/bin/grep "AllowUsers git hg" /assets/sshd_config || /bin/sed -i "s/AllowUsers git/AllowUsers git hg/" /assets/sshd_config + /usr/bin/cat <<"EOC" >>/assets/sshd_config + TrustedUserCAKeys /sshd_ca.pub + Match User git + AuthorizedPrincipalsCommandUser root + AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check lukegb lukegb + Match User hg + AuthorizedPrincipalsCommandUser root + AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check lukegb lukegb + EOC exec /assets/wrapper "$@" EOF chmod ugo=rx /assets/wrapper_wrapper