You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

85 lines
2.1 KiB
Nix

{
config,
lib,
pkgs,
...
}:
let
myOpts = config.x-banananetwork;
cfg = config.x-banananetwork.secrix;
in
{
options = {
x-banananetwork.secrix = {
enable = lib.mkEnableOption ''
optioniated common secrix options.
'';
hostKeyType = lib.mkOption {
description = ''
Type of SSH host key to use.
option{secrix.hostIdentityKey} will then automatically be set
to the path set in option{services.openssh.hostKeys}
for the host key with this type.
Type names are the same used by
e.g. option{services.openssh.hostKeys}
or in OpenSSH `ssh-keygen -t` argument.
'';
type = with lib.types; nullOr str;
default = null;
example = "rsa";
};
};
};
config = lib.mkIf cfg.enable {
# cannot be part of upstream because secrets may also have individual keys
# but I will not use any individual keys
assertions =
let
inherit (builtins) attrValues concatLists;
secr = config.secrix;
systemSecrets = attrValues secr.system.secrets;
serviceSecrets = concatLists (map attrValues (attrValues secr.services));
allSecrets = concatLists [
systemSecrets
serviceSecrets
];
anySecretDefined = allSecrets != [ ];
in
[
{
assertion = anySecretDefined -> config.secrix.hostPubKey != null;
message = "secrix.hostPubKey must be defined";
}
];
secrix =
let
findHostKey =
keyType:
lib.lists.findSingle (key: key.type == keyType)
(abort "cannot find generated OpenSSH host key with type ${keyType}")
(abort "found multiple generated OpenSSH host keys with type ${keyType}")
config.services.openssh.hostKeys;
hostKeyPrivate = (findHostKey cfg.hostKeyType).path;
in
{
defaultEncryptKeys."${myOpts.userName}" = myOpts.sshPublicKeys;
hostIdentityFile = lib.mkIf (cfg.hostKeyType != null) (lib.mkDefault hostKeyPrivate);
hostPubKey = myOpts.sshHostPublicKey;
};
};
}