Skip to content

Instantly share code, notes, and snippets.

@con-f-use
Created December 27, 2023 22:23
Show Gist options
  • Save con-f-use/c1fc964c1fee19f9c75f41bdf9ea2e7b to your computer and use it in GitHub Desktop.
Save con-f-use/c1fc964c1fee19f9c75f41bdf9ea2e7b to your computer and use it in GitHub Desktop.
SSH Principals nix module
{ config, lib, ... }:
{
options.users.users = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (
{ name, config, ... }: {
options.openssh.authorizedPrincipals = lib.mkOption {
type = lib.types.listOf lib.types.str;
example = ''[ "admins", "developers", "it-personnel" ]'';
description = lib.mdDoc ''
A list of authorized principals that may login as this user.
By signing any ssh public key and including one of these principals
in the signature, the signing authority can authorize the key holder
to login as that user, without needing to change anything on the sshd
host.
(see [SSH Certificate Authentication](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_openssh_certificate_authentication)).
'';
default = [];
};
}
)
);
};
config = lib.mkIf config.services.openssh.enabled {
environment.etc = lib.mapAttrs' (
_: { openssh, name, ... }: {
name = "ssh/principals/${name}";
value = {
text = ''${lib.strings.concatMapStrings (x: x + "\n") openssh.authorizedPrincipals}'';
mode = "0644"; # no idea why it has to be world-readable
};
}) (lib.filterAttrs (_: u: u.openssh.authorizedPrincipals != []) config.users.users)
;
services.openssh.extraConfig = ''
AuthorizedPrincipalsFile /etc/ssh/principals/%u
TrustedUserCAKeys /etc/ssh/trusted-user-authorities.crt
'';
};
}
# Configure user authority like so:
# config.environment.etc."ssh/trusted-user-authorities.crt".source = pkgs.fetchurl {
# url = "...";
# hash = ""; # Mandatory! Verify!
# curlOpts = "--insecure"; # fine because hash is checked
# };
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment