66 lines
1.5 KiB
Nix
66 lines
1.5 KiB
Nix
{ config, pkgs, lib, ... }: with lib; let
|
|
cfg = config.services.ssh-cert-dist;
|
|
in
|
|
{
|
|
options.services.ssh-cert-dist = {
|
|
enable = mkEnableOption "ssh-cert-dist";
|
|
host = mkOption {
|
|
type = types.str;
|
|
default = "127.0.0.1";
|
|
};
|
|
port = mkOption {
|
|
type = types.port;
|
|
default = 6877;
|
|
};
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = pkgs.ssh-cert-dist-server;
|
|
};
|
|
ca = mkOption {
|
|
type = types.path;
|
|
};
|
|
dataDir = mkOption {
|
|
type = types.path;
|
|
default = "/var/lib/ssh-cert-dist";
|
|
};
|
|
user = mkOption {
|
|
type = types.str;
|
|
default = "cert-dist";
|
|
};
|
|
group = mkOption {
|
|
type = types.str;
|
|
default = "cert-dist";
|
|
};
|
|
};
|
|
config = mkIf cfg.enable {
|
|
users = {
|
|
users.${cfg.user} = {
|
|
isSystemUser = true;
|
|
group = cfg.group;
|
|
};
|
|
groups.${cfg.group} = { };
|
|
|
|
};
|
|
systemd.services.ssh-cert-dist = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
environment = {
|
|
SSH_CD_SOCKET_ADDRESS = "${cfg.host}:${toString cfg.port}";
|
|
SSH_CD_CERT_DIR = cfg.dataDir;
|
|
SSH_CD_VALIDATE_EXPIRY = "true";
|
|
SSH_CD_VALIDATE_SERIAL = "false";
|
|
SSH_CD_CA = cfg.ca;
|
|
RUST_LOG = "debug";
|
|
};
|
|
serviceConfig = {
|
|
ExecStartPre = "+${pkgs.writeShellScript "pre-start" ''
|
|
mkdir -p ${cfg.dataDir}
|
|
chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
|
|
''}";
|
|
User = cfg.user;
|
|
ExecStart = "${cfg.package}/bin/sshcd-server";
|
|
};
|
|
};
|
|
};
|
|
}
|
|
|