nixos-servers/nixos/modules/ssh-certificates.nix

71 lines
1.5 KiB
Nix
Raw Normal View History

2023-11-24 12:52:51 +00:00
{ lib, config, ... }:
let
2023-12-29 12:46:12 +00:00
cfg = config.lab.ssh;
2023-11-24 12:52:51 +00:00
hostCert = builtins.toFile "host_ed25519-cert.pub" cfg.hostCert;
userCert = builtins.toFile "user_ed25519-cert.pub" cfg.userCert;
2023-12-29 12:41:01 +00:00
in
{
2023-12-29 12:46:12 +00:00
options.lab.ssh = {
useCertificates = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to use certificates at all.
'';
};
2023-12-29 12:46:12 +00:00
hostCert = lib.mkOption {
type = lib.types.str;
description = ''
SSH host certificate
'';
};
2023-11-24 12:52:51 +00:00
2023-12-29 12:46:12 +00:00
userCert = lib.mkOption {
type = lib.types.str;
description = ''
SSH user certificate
'';
};
2023-11-24 12:52:51 +00:00
2023-12-29 12:46:12 +00:00
hostKey = lib.mkOption {
default =
../secrets/${config.networking.hostName}_host_ed25519.age;
type = lib.types.path;
description = ''
SSH host key
'';
};
2023-11-24 12:52:51 +00:00
2023-12-29 12:46:12 +00:00
userKey = lib.mkOption {
default =
../secrets/${config.networking.hostName}_user_ed25519.age;
type = lib.types.path;
description = ''
SSH user key
'';
2023-11-24 12:52:51 +00:00
};
};
config = lib.mkIf cfg.useCertificates {
2023-11-24 12:52:51 +00:00
services.openssh = {
extraConfig = ''
HostCertificate ${hostCert}
HostKey ${config.age.secrets.host_ed25519.path}
'';
};
programs.ssh = {
extraConfig = ''
CertificateFile ${userCert}
IdentityFile ${config.age.secrets.user_ed25519.path}
'';
};
age.secrets = {
"host_ed25519".file = cfg.hostKey;
"user_ed25519".file = cfg.userKey;
};
};
}