Merge pull request #1022 from Mic92/ssh

programs.ssh: add certificate authorities
author: Emily <vcs@emily.moe> 2024-08-01 09:24:02 +0100
committer: GitHub <noreply@github.com> 2024-08-01 09:24:02 +0100
commit: b47af8628624856ad6853168298f1f96364d92d6 (patch)
tree: 36e778130cd16545a473651940af84b7202f21f8 /modules/programs/ssh
parent: 7e08a9dd34314fb8051c28b231a68726c54daa7b (diff)
parent: cf45edbf271a638637d4f1a824c429d7649ecbd5 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix
index 6f72369..51c7796 100644
--- a/modules/programs/ssh/default.nix
+++ b/modules/programs/ssh/default.nix
@@ -11,6 +11,14 @@ let
     { name, ... }:
     {
       options = {
+        certAuthority = lib.mkOption {
+          type = lib.types.bool;
+          default = false;
+          description = ''
+            This public key is an SSH certificate authority, rather than an
+            individual host's key.
+          '';
+        };
         hostNames = mkOption {
           type = types.listOf types.str;
           default = [];
@@ -139,7 +147,7 @@ in
       { "ssh/ssh_known_hosts" = mkIf (builtins.length knownHosts > 0) {
           text = (flip (concatMapStringsSep "\n") knownHosts
             (h: assert h.hostNames != [];
-              concatStringsSep "," h.hostNames + " "
+              lib.optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
               + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
             )) + "\n";
         };
author	Emily <vcs@emily.moe>	2024-08-01 09:24:02 +0100
committer	GitHub <noreply@github.com>	2024-08-01 09:24:02 +0100
commit	b47af8628624856ad6853168298f1f96364d92d6 (patch)
tree	36e778130cd16545a473651940af84b7202f21f8 /modules/programs/ssh
parent	7e08a9dd34314fb8051c28b231a68726c54daa7b (diff)
parent	cf45edbf271a638637d4f1a824c429d7649ecbd5 (diff)