# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ config, lib, pkgs, ... }:
let
  inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;
in {
  config = {
    services.openssh.extraConfig = ''
      HostCertificate /var/lib/secretsmgr/ssh/ssh_host_ed25519_key-cert.pub
      HostCertificate /var/lib/secretsmgr/ssh/ssh_host_rsa_key-cert.pub
      TrustedUserCAKeys ${../../secrets/client-ca.pub}
      AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u
      AuthorizedPrincipalsCommandUser sshd
      AuthorizedPrincipalsFile %h/.ssh/authorized_principals
      AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
    '';
    environment.etc."ssh/authorized_principals_cmd" = {
      mode = "0555";
      text = ''
        #!${pkgs.stdenv.shell}
        echo "$1"
      '';
    };

    environment.etc."ssh/authorized_principals.d/root".text = ''
      lukegb
    '';
  };
}