You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
85 lines
2.1 KiB
Nix
85 lines
2.1 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
myOpts = config.x-banananetwork;
|
|
cfg = config.x-banananetwork.secrix;
|
|
in
|
|
{
|
|
|
|
options = {
|
|
|
|
x-banananetwork.secrix = {
|
|
|
|
enable = lib.mkEnableOption ''
|
|
optioniated common secrix options.
|
|
'';
|
|
|
|
hostKeyType = lib.mkOption {
|
|
description = ''
|
|
Type of SSH host key to use.
|
|
|
|
option{secrix.hostIdentityKey} will then automatically be set
|
|
to the path set in option{services.openssh.hostKeys}
|
|
for the host key with this type.
|
|
|
|
Type names are the same used by
|
|
e.g. option{services.openssh.hostKeys}
|
|
or in OpenSSH `ssh-keygen -t` argument.
|
|
|
|
'';
|
|
type = with lib.types; nullOr str;
|
|
default = null;
|
|
example = "rsa";
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
# cannot be part of upstream because secrets may also have individual keys
|
|
# but I will not use any individual keys
|
|
assertions =
|
|
let
|
|
inherit (builtins) attrValues concatLists;
|
|
secr = config.secrix;
|
|
systemSecrets = attrValues secr.system.secrets;
|
|
serviceSecrets = concatLists (map attrValues (attrValues secr.services));
|
|
allSecrets = concatLists [
|
|
systemSecrets
|
|
serviceSecrets
|
|
];
|
|
anySecretDefined = allSecrets != [ ];
|
|
in
|
|
[
|
|
{
|
|
assertion = anySecretDefined -> config.secrix.hostPubKey != null;
|
|
message = "secrix.hostPubKey must be defined";
|
|
}
|
|
];
|
|
|
|
secrix =
|
|
let
|
|
findHostKey =
|
|
keyType:
|
|
lib.lists.findSingle (key: key.type == keyType)
|
|
(abort "cannot find generated OpenSSH host key with type ${keyType}")
|
|
(abort "found multiple generated OpenSSH host keys with type ${keyType}")
|
|
config.services.openssh.hostKeys;
|
|
hostKeyPrivate = (findHostKey cfg.hostKeyType).path;
|
|
in
|
|
{
|
|
defaultEncryptKeys."${myOpts.userName}" = myOpts.sshPublicKeys;
|
|
hostIdentityFile = lib.mkIf (cfg.hostKeyType != null) (lib.mkDefault hostKeyPrivate);
|
|
hostPubKey = myOpts.sshHostPublicKey;
|
|
};
|
|
|
|
};
|
|
|
|
}
|