50 lines
1.6 KiB
Nix
50 lines
1.6 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
options = {
|
|
clan.sshd.certificate = {
|
|
# TODO: allow per-server domains that we than collect in the inventory
|
|
#domains = lib.mkOption {
|
|
# type = lib.types.listOf lib.types.str;
|
|
# default = [ ];
|
|
# example = [ "git.mydomain.com" ];
|
|
# description = "List of domains to include in the certificate. This option will not prepend the machine name in front of each domain.";
|
|
#};
|
|
searchDomains = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
example = [ "mydomain.com" ];
|
|
description = "List of domains to include in the certificate. This option will prepend the machine name in front of each domain before adding it to the certificate.";
|
|
};
|
|
};
|
|
};
|
|
config = {
|
|
clan.core.vars.generators.openssh-ca =
|
|
lib.mkIf (config.clan.sshd.certificate.searchDomains != [ ])
|
|
{
|
|
share = true;
|
|
files.id_ed25519.deploy = false;
|
|
files."id_ed25519.pub" = {
|
|
deploy = false;
|
|
secret = false;
|
|
};
|
|
runtimeInputs = [
|
|
pkgs.openssh
|
|
];
|
|
script = ''
|
|
ssh-keygen -t ed25519 -N "" -f $out/id_ed25519
|
|
'';
|
|
};
|
|
|
|
programs.ssh.knownHosts.ssh-ca = lib.mkIf (config.clan.sshd.certificate.searchDomains != [ ]) {
|
|
certAuthority = true;
|
|
extraHostNames = builtins.map (domain: "*.${domain}") config.clan.sshd.certificate.searchDomains;
|
|
publicKey = config.clan.core.vars.generators.openssh-ca.files."id_ed25519.pub".value;
|
|
};
|
|
};
|
|
}
|