# SPDX-FileCopyrightText: 2020 Luke Granger-Brown # # SPDX-License-Identifier: Apache-2.0 { config, lib, pkgs, ... }: let inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings; keyTypes = [ "ed25519" "rsa" ]; hostKeyForKeyType = keyType: "/etc/ssh/ssh_host_${keyType}_key.pub"; secretNameForKeyType = keyType: "openssh-cert-${keyType}"; signedPaths = map (keyType: config.my.vault.secrets.${secretNameForKeyType keyType}.path) keyTypes; in { config = { my.vault.secrets = let hostname = config.networking.hostName; fromKey = keyType: { template = '' {{ with file "${hostKeyForKeyType keyType}" | printf "public_key=%s" | secret "ssh-host/sign/${hostname}" "cert_type=host" "valid_principals=${hostname}.as205479.net,${hostname}.int.as205479.net" }} {{ .Data.signed_key }} {{ end }} ''; group = "root"; reloadOrRestartUnits = [ "sshd.service" ]; }; in listToAttrs (map (keyType: nameValuePair (secretNameForKeyType keyType) (fromKey keyType)) keyTypes); systemd.services.vault-agent.serviceConfig.ReadOnlyPaths = mkAfter (map hostKeyForKeyType keyTypes); services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + '' TrustedUserCAKeys ${../../secrets/client-ca.pub} AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u AuthorizedPrincipalsCommandUser sshd AuthorizedPrincipalsFile %h/.ssh/authorized_principals AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u ''; environment.etc."ssh/authorized_principals_cmd" = { mode = "0555"; text = '' #!${pkgs.stdenv.shell} echo "$1" ''; }; environment.etc."ssh/authorized_principals.d/root".text = '' lukegb ''; }; }