sshd: add host ssh cert support

2024-11-08 16:14:16 +01:00
parent b54063f173
commit c20085e3c7
5 changed files with 137 additions and 24 deletions
--- a/clanModules/sshd/shared.nix
+++ b/clanModules/sshd/shared.nix
@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  options = {
+    clan.sshd.certificate = {
+      # TODO: allow per-server domains that we than collect in the inventory
+      #domains = lib.mkOption {
+      #  type = lib.types.listOf lib.types.str;
+      #  default = [ ];
+      #  example = [ "git.mydomain.com" ];
+      #  description = "List of domains to include in the certificate. This option will not prepend the machine name in front of each domain.";
+      #};
+      searchDomains = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "mydomain.com" ];
+        description = "List of domains to include in the certificate. This option will prepend the machine name in front of each domain before adding it to the certificate.";
+      };
+    };
+  };
+  config = {
+    clan.core.vars.generators.openssh-ca =
+      lib.mkIf (config.clan.sshd.certificate.searchDomains != [ ])
+        {
+          share = true;
+          files.id_ed25519.deploy = false;
+          files."id_ed25519.pub" = {
+            deploy = false;
+            secret = false;
+          };
+          runtimeInputs = [
+            pkgs.openssh
+          ];
+          script = ''
+            ssh-keygen -t ed25519 -N "" -f $out/id_ed25519
+          '';
+        };
+  };
+}