openssh: certificate authority

1 files changed, 27 insertions, 16 deletions

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index d54ea6f3..048a948f 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -1,33 +1,39 @@
 { customUtils, lib, config, hostName, pkgs, ... }:
 {
   config = {
-    programs.ssh.knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.nixImport { dir = ./known-hosts; }));
-    programs.ssh.knownHostsFiles = [
-      ./known-hosts/borgbase.keys
-    ];
-
     systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
 
     services.openssh = lib.mkIf config.services.openssh.enable {
-      hostKeys = [
-        { path = "/etc/ssh/ssh_host_rsa_key";
-          type = "rsa";
-        }
-        { path = "/etc/ssh/ssh_host_ed25519_key";
-          type = "ed25519";
-        }
-      ];
+      hostKeys = lib.mkForce []; # done manually
       ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
       macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
       kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
       moduliFile = config.sops.secrets.ssh_moduli.path;
       extraConfig = ''
         HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+        CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+
+        HostKey /etc/ssh/ssh_host_ed25519_key
+        HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+        HostKey /etc/ssh/ssh_host_rsa_key
+        HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+        RevokedKeys /etc/ssh/krl.bin
       '';
       logLevel = "VERBOSE";
     };
 
     programs.ssh = {
+      knownHosts = {
+        "*.yggdrasil.li" = {
+          extraHostNames = ["*.yggdrasil"];
+          certAuthority = true;
+          publicKeyFile = ./ca/ca.pub;
+        };
+      };
+      knownHostsFiles = [
+        ./known-hosts/borgbase.keys
+      ];
+
       ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
       hostKeyAlgorithms = [ "sk-ssh-ed25519-cert-v01@openssh.com" "ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ];
       kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
@@ -35,7 +41,7 @@
       pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
       extraConfig = ''
         Host *
-          UseRoaming no
+          CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
       '';
     };
 
@@ -58,8 +64,13 @@
     };
 
     environment.etc = lib.mkIf config.services.openssh.enable {
-      "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey;
-      "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey;
+      "ssh/ssh_host_rsa_key.pub".source = ./known-hosts + "/${hostName}/rsa.pub";
+      "ssh/ssh_host_ed25519_key.pub".source = ./known-hosts + "/${hostName}/ed25519.pub";
+
+      "ssh/ssh_host_rsa_key-cert.pub".source = ./known-hosts + "/${hostName}/rsa-cert.pub";
+      "ssh/ssh_host_ed25519_key-cert.pub".source = ./known-hosts + "/${hostName}/ed25519-cert.pub";
+
+      "ssh/krl.bin".source = ./ca/krl.bin;
     };
 
     environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [