con-f-use/ssh_principals.nix

## ssh_principals.nix
{ config, lib, ... }:
{
  options.users.users = lib.mkOption {
    type = lib.types.attrsOf (
      lib.types.submodule (
        { name, config, ... }: {
          options.openssh.authorizedPrincipals = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            example = ''[ "admins", "developers", "it-personnel" ]'';
            description = lib.mdDoc ''
              A list of authorized principals that may login as this user.
              By signing any ssh public key and including one of these principals
              in the signature, the signing authority can authorize the key holder
              to login as that user, without needing to change anything on the sshd
              host.
              (see [SSH Certificate Authentication](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_openssh_certificate_authentication)).
            '';
            default = [];
          };
        }
      )
    );
  };

  config = lib.mkIf config.services.openssh.enabled {
    environment.etc = lib.mapAttrs' (
      _: { openssh, name, ... }: {
        name = "ssh/principals/${name}";
        value = {
          text = ''${lib.strings.concatMapStrings (x: x + "\n") openssh.authorizedPrincipals}'';
          mode = "0644";  # no idea why it has to be world-readable
        };
      }) (lib.filterAttrs (_: u: u.openssh.authorizedPrincipals != []) config.users.users)
    ;

    services.openssh.extraConfig = ''
      AuthorizedPrincipalsFile /etc/ssh/principals/%u
      TrustedUserCAKeys /etc/ssh/trusted-user-authorities.crt
    '';
  };
}

# Configure user authority like so:
# config.environment.etc."ssh/trusted-user-authorities.crt".source = pkgs.fetchurl {
#   url = "...";
#   hash = "";  # Mandatory! Verify!
#   curlOpts = "--insecure";  # fine because hash is checked
# };
	{ config, lib, ... }:
	{
	options.users.users = lib.mkOption {
	type = lib.types.attrsOf (
	lib.types.submodule (
	{ name, config, ... }: {
	options.openssh.authorizedPrincipals = lib.mkOption {
	type = lib.types.listOf lib.types.str;
	example = ''[ "admins", "developers", "it-personnel" ]'';
	description = lib.mdDoc ''
	A list of authorized principals that may login as this user.
	By signing any ssh public key and including one of these principals
	in the signature, the signing authority can authorize the key holder
	to login as that user, without needing to change anything on the sshd
	host.
	(see [SSH Certificate Authentication](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_openssh_certificate_authentication)).
	'';
	default = [];
	};
	}
	)
	);
	};

	config = lib.mkIf config.services.openssh.enabled {
	environment.etc = lib.mapAttrs' (
	_: { openssh, name, ... }: {
	name = "ssh/principals/${name}";
	value = {
	text = ''${lib.strings.concatMapStrings (x: x + "\n") openssh.authorizedPrincipals}'';
	mode = "0644"; # no idea why it has to be world-readable
	};
	}) (lib.filterAttrs (_: u: u.openssh.authorizedPrincipals != []) config.users.users)
	;

	services.openssh.extraConfig = ''
	AuthorizedPrincipalsFile /etc/ssh/principals/%u
	TrustedUserCAKeys /etc/ssh/trusted-user-authorities.crt
	'';
	};
	}

	# Configure user authority like so:
	# config.environment.etc."ssh/trusted-user-authorities.crt".source = pkgs.fetchurl {
	# url = "...";
	# hash = ""; # Mandatory! Verify!
	# curlOpts = "--insecure"; # fine because hash is checked
	# };