# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ config, lib, pkgs, ... }:
let
  inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;

  #keyTypes = [ "ed25519" "rsa" ];
  keyTypes = [ ];
  hostKeyForKeyType = keyType: "/etc/ssh/ssh_host_${keyType}_key.pub";
  secretNameForKeyType = keyType: "openssh-cert-${keyType}";

  signedPaths = map (keyType: config.my.vault.secrets.${secretNameForKeyType keyType}.path) keyTypes;
in {
  config = {
    my.vault.secrets = let
      hostname = config.networking.hostName;
      fromKey = keyType: {
        template = ''
          {{ with file "${hostKeyForKeyType keyType}" | printf "public_key=%s" | secret "ssh-host/sign/${hostname}" "cert_type=host" "valid_principals=${hostname}.as205479.net,${hostname}.int.as205479.net" }}
          {{ .Data.signed_key }}
          {{ end }}
        '';
        group = "root";
        reloadOrRestartUnits = [ "sshd.service" ];
      };
    in listToAttrs (map (keyType: nameValuePair (secretNameForKeyType keyType) (fromKey keyType)) keyTypes);

    systemd.services.vault-agent.serviceConfig.ReadOnlyPaths = mkAfter (map hostKeyForKeyType keyTypes);

    services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + ''
      TrustedUserCAKeys ${../../secrets/client-ca.pub}
      AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u
      AuthorizedPrincipalsCommandUser sshd
      AuthorizedPrincipalsFile %h/.ssh/authorized_principals
      AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
    '';
    environment.etc."ssh/authorized_principals_cmd" = {
      mode = "0555";
      text = ''
        #!${pkgs.stdenv.shell}
        echo "$1"
      '';
    };

    environment.etc."ssh/authorized_principals.d/root".text = ''
      lukegb
    '';
  };
}