lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions
depot/ops/nixos/lib/ssh-ca-vault.nix

31 lines
973 B
Nix
Raw Blame History

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ config, lib, pkgs, ... }:
let
inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;
in {
config = {
services.openssh.extraConfig = ''
HostCertificate /var/lib/secretsmgr/ssh/ssh_host_ed25519_key-cert.pub
HostCertificate /var/lib/secretsmgr/ssh/ssh_host_rsa_key-cert.pub
TrustedUserCAKeys ${../../secrets/client-ca.pub}
AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u
AuthorizedPrincipalsCommandUser sshd
AuthorizedPrincipalsFile %h/.ssh/authorized_principals
AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
'';
environment.etc."ssh/authorized_principals_cmd" = {
mode = "0555";
text = ''
#!${pkgs.stdenv.shell}
echo "$1"
'';
};
environment.etc."ssh/authorized_principals.d/root".text = ''
lukegb
'';
};
}
Reference in a new issue View git blame Copy permalink