programs.ssh: add certificate authorities

author: Jörg Thalheim <joerg@thalheim.io> 2024-07-31 19:34:17 +0200
committer: Jörg Thalheim <joerg@thalheim.io> 2024-07-31 19:34:17 +0200
commit: cf45edbf271a638637d4f1a824c429d7649ecbd5 (patch)
tree: 36e778130cd16545a473651940af84b7202f21f8 /modules/programs/ssh/default.nix
parent: 7e08a9dd34314fb8051c28b231a68726c54daa7b (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix
index 6f72369..51c7796 100644
--- a/modules/programs/ssh/default.nix
+++ b/modules/programs/ssh/default.nix
@@ -11,6 +11,14 @@ let
     { name, ... }:
     {
       options = {
+        certAuthority = lib.mkOption {
+          type = lib.types.bool;
+          default = false;
+          description = ''
+            This public key is an SSH certificate authority, rather than an
+            individual host's key.
+          '';
+        };
         hostNames = mkOption {
           type = types.listOf types.str;
           default = [];
@@ -139,7 +147,7 @@ in
       { "ssh/ssh_known_hosts" = mkIf (builtins.length knownHosts > 0) {
           text = (flip (concatMapStringsSep "\n") knownHosts
             (h: assert h.hostNames != [];
-              concatStringsSep "," h.hostNames + " "
+              lib.optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
               + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
             )) + "\n";
         };
author	Jörg Thalheim <joerg@thalheim.io>	2024-07-31 19:34:17 +0200
committer	Jörg Thalheim <joerg@thalheim.io>	2024-07-31 19:34:17 +0200
commit	cf45edbf271a638637d4f1a824c429d7649ecbd5 (patch)
tree	36e778130cd16545a473651940af84b7202f21f8 /modules/programs/ssh/default.nix
parent	7e08a9dd34314fb8051c28b231a68726c54daa7b (diff)