diff --git a/flake.nix b/flake.nix index 062a330..f0ca672 100644 --- a/flake.nix +++ b/flake.nix @@ -99,12 +99,12 @@ }; }; - nixosModules.default = { - imports = [ ./modules/nixos.nix ]; - }; - homeManagerModules.default = { - imports = [ ./modules/home-manager.nix ]; - }; + nixosModules.default = { + imports = [ ./modules/nixos.nix ]; + }; + homeManagerModules.default = { + imports = [ ./modules/home-manager.nix ]; + }; }; diff --git a/modules/home-manager.nix b/modules/home-manager.nix index 40de4a2..dba572d 100644 --- a/modules/home-manager.nix +++ b/modules/home-manager.nix @@ -1,2 +1,75 @@ -{ config, pkgs, lib, ... }: with lib; let cfg = config.services.ssh-cert-dist; in { } +{ config, pkgs, lib, ... }: with lib; let + cfg = config.services.ssh-cert-dist; + directoryModule = { name, ... }: { + options = { + name = mkOption { + type = types.str; + default = last (splitString "/" name); + }; + fetch = mkOption { + type = types.bool; + default = true; + }; + upload = mkOption { + type = types.bool; + default = false; + }; + }; + }; +in +{ + options.services.ssh-cert-dist = { + enable = mkEnableOption "ssh-cert-dist"; + endpoint = mkOption { + type = types.str; + description = "API endpoint url"; + }; + package = mkOption { + type = types.package; + default = pkgs.ssh-cert-dist; + }; + directories = mkOption { + type = with types; attrsOf (submodule directoryModule); + default = { }; + }; + }; + config.systemd.user.services = mkIf cfg.enable (mapAttrs' + (path: options: { + inherit (options) name; value = { + Unit.Description = "ssh-cert-dist service for ${path}"; + Service = { + Environment = "RUST_LOG=debug"; + ExecStart = toString (pkgs.writeShellApplication { + name = "ssh-cert-dist-${options.name}"; + runtimeInputs = [ cfg.package ]; + text = '' + ${optionalString options.fetch '' + ssh-cert-dist client fetch --cert-dir '${path}' --api-endpoint '${cfg.endpoint}' + ''} + ${optionalString options.upload '' + ssh-cert-dist client upload --api-endpoint '${cfg.endpoint}' ${path}/* + ''} + ''; + }); + }; + }; + }) + cfg.directories); + + options.programs.ssh-cert-dist = { + enable = mkEnableOption "ssh-cert-dist"; + package = mkOption { + type = types.package; + default = pkgs.ssh-cert-dist; + }; + endpoint = mkOption { + type = types.str; + description = "API endpoint url"; + }; + }; + config.home = let cfg = config.programs.ssh-cert-dist; in mkIf cfg.enable { + packages = [ cfg.package ]; + sessionVariables.SSH_CD_API = cfg.endpoint; + }; +} diff --git a/modules/nixos.nix b/modules/nixos.nix index df1267d..0b543f5 100644 --- a/modules/nixos.nix +++ b/modules/nixos.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: with lib; let cfg = config.services.ssh-cert-dist; - ca = if isStorePath cfg.ca then cfg.ca else pkgs.writeText "ssh-ca" cfg.ca; + ca = if isPath cfg.ca then cfg.ca else pkgs.writeText "ssh-ca" cfg.ca; in { options.services.ssh-cert-dist = { @@ -44,14 +44,21 @@ in }; systemd.services.ssh-cert-dist = { wantedBy = [ "multi-user.target" ]; - environment.RUST_LOG = "debug"; + environment = { + SSH_CD_SOCKET_ADDRESS = "${cfg.host}:${toString cfg.port}"; + SSH_CD_CERT_DIR = cfg.dataDir; + SSH_CD_VALIDATE_EXPIRY = true; + SSH_CD_VALIDATE_SERIAL = false; + SSH_CD_CA = ca; + RUST_LOG = "debug"; + }; serviceConfig = { ExecStartPre = "+${pkgs.writeShellScript "pre-start" '' mkdir -p ${cfg.dataDir} chown ${cfg.user}:${cfg.group} ${cfg.dataDir} ''}"; User = cfg.user; - ExecStart = "${cfg.package}/bin/ssh-cert-dist server --address ${cfg.host}:${toString cfg.port} -c ${cfg.dataDir} --ca ${ca}"; + ExecStart = "${cfg.package}/bin/ssh-cert-dist server"; }; }; };