diff --git a/flake.nix b/flake.nix index 74d2683..062a330 100644 --- a/flake.nix +++ b/flake.nix @@ -99,53 +99,12 @@ }; }; - nixosModules.default = { config, pkgs, lib, ... }: with lib; let cfg = config.services.ssh-cert-dist; in { - options.services.ssh-cert-dist = { - enable = mkEnableOption "ssh-cert-dist"; - host = mkOption { - type = types.str; - default = "127.0.0.1"; - }; - port = mkOption { - type = types.port; - default = 6877; - }; - package = mkOption { - type = types.package; - default = pkgs.ssh-cert-dist; - }; - dataDir = mkOption { - type = types.path; - default = "/var/lib/ssh-cert-dist"; - }; - user = mkOption { - type = types.str; - default = "cert-dist"; - }; - group = mkOption { - type = types.str; - default = "cert-dist"; - }; - }; - config = mkIf { - users = { - users.${cfg.user} = { - isSystemUser = true; - group = cfg.group; - }; - groups.${cfg.group} = { }; - - }; - systemd.services.ssh-cert-dist = { - preStart = '' - chown ${cfg.user}:${cfg.group} ${cfg.dataDir} - ''; - serviceConfig.User = cfg.user; - serviceConfig.ExecStart = "${cfg.package}/bin/ssh-cert-dist server --address ${cfg.host}:${toString cfg.port} -c ${cfg.dataDir} --ca ${cfg.ca}"; - }; - }; - }; - homeManagerModules.default = { config, pkgs, lib, ... }: with lib; let cfg = config.services.ssh-cert-dist; in { }; + nixosModules.default = { + imports = [ ./modules/nixos.nix ]; + }; + homeManagerModules.default = { + imports = [ ./modules/home-manager.nix ]; + }; }; diff --git a/modules/home-manager.nix b/modules/home-manager.nix new file mode 100644 index 0000000..40de4a2 --- /dev/null +++ b/modules/home-manager.nix @@ -0,0 +1,2 @@ +{ config, pkgs, lib, ... }: with lib; let cfg = config.services.ssh-cert-dist; in { } + diff --git a/modules/nixos.nix b/modules/nixos.nix new file mode 100644 index 0000000..df1267d --- /dev/null +++ b/modules/nixos.nix @@ -0,0 +1,59 @@ +{ config, pkgs, lib, ... }: with lib; let + cfg = config.services.ssh-cert-dist; + ca = if isStorePath cfg.ca then cfg.ca else pkgs.writeText "ssh-ca" cfg.ca; +in +{ + options.services.ssh-cert-dist = { + enable = mkEnableOption "ssh-cert-dist"; + host = mkOption { + type = types.str; + default = "127.0.0.1"; + }; + port = mkOption { + type = types.port; + default = 6877; + }; + package = mkOption { + type = types.package; + default = pkgs.ssh-cert-dist; + }; + ca = mkOption { + type = with types; either str path; + }; + dataDir = mkOption { + type = types.path; + default = "/var/lib/ssh-cert-dist"; + }; + user = mkOption { + type = types.str; + default = "cert-dist"; + }; + group = mkOption { + type = types.str; + default = "cert-dist"; + }; + }; + config = mkIf cfg.enable { + users = { + users.${cfg.user} = { + isSystemUser = true; + group = cfg.group; + }; + groups.${cfg.group} = { }; + + }; + systemd.services.ssh-cert-dist = { + wantedBy = [ "multi-user.target" ]; + environment.RUST_LOG = "debug"; + serviceConfig = { + ExecStartPre = "+${pkgs.writeShellScript "pre-start" '' + mkdir -p ${cfg.dataDir} + chown ${cfg.user}:${cfg.group} ${cfg.dataDir} + ''}"; + User = cfg.user; + ExecStart = "${cfg.package}/bin/ssh-cert-dist server --address ${cfg.host}:${toString cfg.port} -c ${cfg.dataDir} --ca ${ca}"; + }; + }; + }; +} + diff --git a/src/certs.rs b/src/certs.rs index 54b7289..2e0a26c 100644 --- a/src/certs.rs +++ b/src/certs.rs @@ -12,14 +12,18 @@ pub async fn read_certs( ca: &PublicKey, path: impl AsRef, ) -> anyhow::Result> { - read_dir(path.as_ref().join(ca_dir(ca))).await + let ca_dir = path.as_ref().join(ca_dir(ca)); + if !ca_dir.exists() { + return Ok(Vec::new()); + } + read_dir(&ca_dir).await } #[instrument] pub async fn read_dir(path: impl AsRef + Debug) -> anyhow::Result> { let mut dir = fs::read_dir(path.as_ref()) .await - .context("read certs dir")?; + .with_context(|| format!("read certs dir '{:?}'", path.as_ref()))?; let mut certs = Vec::new(); while let Some(entry) = dir.next_entry().await? { //TODO: investigate why path().ends_with doesn't work