50 lines
1.8 KiB
Nix
50 lines
1.8 KiB
Nix
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
let
|
|
inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;
|
|
|
|
keyTypes = [ "ed25519" "rsa" ];
|
|
hostKeyForKeyType = keyType: "/etc/ssh/ssh_host_${keyType}_key.pub";
|
|
secretNameForKeyType = keyType: "openssh-cert-${keyType}";
|
|
|
|
signedPaths = map (keyType: config.my.vault.secrets.${secretNameForKeyType keyType}.path) keyTypes;
|
|
in {
|
|
config = {
|
|
my.vault.secrets = let
|
|
hostname = config.networking.hostName;
|
|
fromKey = keyType: {
|
|
template = ''
|
|
{{ with file "${hostKeyForKeyType keyType}" | printf "public_key=%s" | secret "ssh-host/sign/${hostname}" "cert_type=host" "valid_principals=${hostname}.as205479.net,${hostname}.int.as205479.net" }}
|
|
{{ .Data.signed_key }}
|
|
{{ end }}
|
|
'';
|
|
group = "root";
|
|
reloadOrRestartUnits = [ "sshd.service" ];
|
|
};
|
|
in listToAttrs (map (keyType: nameValuePair (secretNameForKeyType keyType) (fromKey keyType)) keyTypes);
|
|
|
|
systemd.services.vault-agent.serviceConfig.ReadOnlyPaths = mkAfter (map hostKeyForKeyType keyTypes);
|
|
|
|
services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + ''
|
|
TrustedUserCAKeys ${../../secrets/client-ca.pub}
|
|
AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u
|
|
AuthorizedPrincipalsCommandUser sshd
|
|
AuthorizedPrincipalsFile %h/.ssh/authorized_principals
|
|
AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
|
|
'';
|
|
environment.etc."ssh/authorized_principals_cmd" = {
|
|
mode = "0555";
|
|
text = ''
|
|
#!${pkgs.stdenv.shell}
|
|
echo "$1"
|
|
'';
|
|
};
|
|
|
|
environment.etc."ssh/authorized_principals.d/root".text = ''
|
|
lukegb
|
|
'';
|
|
};
|
|
}
|