add systemd unit to setup host with vault ssh ca

nix/common.nix

@@ -934,6 +934,7 @@ in {
       gatewayPorts = "yes";
       permitRootLogin = "yes";
       startWhenNeeded = true;
+      extraConfig = "Include /etc/ssh/sshd_config_*";
     };
     ttyd = {
       enable = prefs.enableTtyd;
@@ -2104,7 +2105,8 @@ in {
         # I need allowedNetwork so I will use extraOptions instead of devices.
         devices = let
           mkDevice = { name, id, introducer ? true
-            , allowedNetworks ? [ "!10.144.0.0/16" "0.0.0.0/0" ], ... }: {
+            , allowedNetworks ? [ "!10.144.0.0/16" "0.0.0.0/0" "::/0" ], ...
+            }: {
               deviceID = id;
               inherit name introducer allowedNetworks;
             };
@@ -3348,6 +3350,92 @@ in {
           '';
         };
 
+        vault-ssh-ca-setup = let
+          vault-server-init-script =
+            pkgs.writeShellScript "vault-ssh-ca-setup-server" ''
+              vault secrets enable -path=ssh-host-signer ssh
+              vault write ssh-host-signer/config/ca generate_signing_key=true
+              vault secrets enable -path=ssh-client-signer ssh
+              vault write ssh-client-signer/config/ca generate_signing_key=true
+                          '';
+          vault-host-init-script =
+            pkgs.writeShellScript "vault-ssh-ca-setup-host" ''
+              vault write ssh-host-signer/roles/ssh-host key_type=ca ttl=87600h allow_host_certificates=true allowed_domains="localdomain,example.com" allow_subdomains=true algorithm_signer=rsa-sha2-512
+              vault secrets tune -max-lease-ttl=87600h ssh-host-signer
+              vault policy write ssh-host -<<"EOH"
+              path "ssh-host-signer/sign/ssh-host" {  capabilities = [ "create", "update" ]}
+              path "ssh-client-signer/config/ca" {  capabilities = [ "read" ]}
+              EOH
+              vault write auth/approle/role/ssh-host policies="ssh-host" token_ttl=1h token_max_ttl=4h
+              VAULT_HOST_ROLE_ID=$(vault read -format=json auth/approle/role/ssh-host/role-id | jq -r ".data.role_id") VAULT_HOST_SECRET_ID=$(vault write -f -format=json auth/approle/role/ssh-host/secret-id | jq -r ".data.secret_id")
+              VAULT_HOST_TOKEN="$(vault write -format json auth/approle/login role_id=$VAULT_HOST_ROLE_ID secret_id=$VAULT_HOST_SECRET_ID | jq -r ".auth.client_token")"
+              VAULT_TOKEN=$VAULT_HOST_TOKEN vault write -field=signed_key ssh-host-signer/sign/ssh-host cert_type=host public_key=@/etc/ssh/ssh_host_ed25519_key.pub | tee /etc/ssh/ssh_host_ed25519_key-cert.pub
+                          '';
+          vault-client-init-script =
+            pkgs.writeShellScript "vault-ssh-ca-setup-client" ''
+              # Only root user is allowed to connect.
+              # https://github.com/hashicorp/vault/blob/6da5bce9a0078a2e0856e365cb4dd350b77af6cb/website/content/docs/secrets/ssh/signed-ssh-certificates.mdx#name-is-not-a-listed-principal
+              vault write ssh-client-signer/roles/ssh-root-user -<<"EOH"
+              {
+                "allow_user_certificates": true,
+                "allowed_users": "*",
+                "allowed_extensions": "permit-pty,permit-port-forwarding",
+                "default_extensions": [
+                  {
+                    "permit-pty": ""
+                  }
+                ],
+                "key_type": "ca",
+                "default_user": "root",
+                "algorithm_signer": "rsa-sha2-512",
+                "ttl": "30m0s"
+              }
+              EOH
+              vault policy write ssh-root-user -<<"EOH"
+              path "ssh-client-signer/sign/ssh-root-user" {  capabilities = ["create", "update"]}
+              path "ssh-client-signer/config/ca" {  capabilities = [ "read" ]}
+              path "ssh-host-signer/config/ca" {  capabilities = [ "read" ]}
+              EOH
+              vault write auth/approle/role/ssh-root-user policies="ssh-root-user" token_ttl=6h token_max_ttl=12h
+              VAULT_ROOT_USER_ROLE_ID=$(vault read -format=json auth/approle/role/ssh-root-user/role-id | jq -r ".data.role_id") VAULT_ROOT_USER_SECRET_ID=$(vault write -f -format=json auth/approle/role/ssh-root-user/secret-id | jq -r ".data.secret_id")
+              VAULT_ROOT_USER_TOKEN="$(vault write -format json auth/approle/login role_id=$VAULT_ROOT_USER_ROLE_ID secret_id=$VAULT_ROOT_USER_SECRET_ID | jq -r ".auth.client_token")"
+              ssh-keygen -f id_ed25519 -t ed25519 -P ""
+              VAULT_TOKEN=$VAULT_ROOT_USER_TOKEN vault write -field=signed_key ssh-client-signer/sign/ssh-root-user public_key=@id_ed25519.pub | tee id_ed25519-cert.pub
+              echo "@cert-authority * $(VAULT_TOKEN=$VAULT_ROOT_USER_TOKEN vault read -field=public_key ssh-host-signer/config/ca)" | tee -a ~/.ssh/known_hosts
+                          '';
+        in {
+          enable = true;
+          description = "Setup Vault CA Certificate";
+          after = [ "network.target" ];
+          path = [ pkgs.vault pkgs.jq pkgs.file pkgs.glibc ];
+          script = ''
+            set -euo pipefail
+            # see ${vault-server-init-script} for some vault server setup instructions
+            # see ${vault-host-init-script} for some vault host setup instructions
+            # see ${vault-client-init-script} for some vault client setup instructions
+            export VAULT_TOKEN="$(vault write -format json auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID" | jq -r ".auth.client_token")"
+            if ca="$(vault read -field=public_key ssh-client-signer/config/ca)" && [[ -n "$ca" ]] ; then
+                echo "$ca" > /etc/ssh/trusted-user-ca-keys.pem
+            else
+                exit 1
+            fi
+            if signed_key="$(vault write -field=signed_key ssh-host-signer/sign/ssh-host cert_type=host public_key=@/etc/ssh/ssh_host_ed25519_key.pub)" && [[ -n "$signed_key" ]]; then
+                echo "$signed_key" > /etc/ssh/ssh_host_ed25519_key-cert.pub
+            else
+                exit 1
+            fi
+            cat > /etc/ssh/sshd_config_vault <<EOF
+            TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
+            HostKey /etc/ssh/ssh_host_ed25519_key
+            HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+            EOF
+          '';
+          serviceConfig = {
+            Type = "simple";
+            EnvironmentFile = "/run/secrets/vault-ssh-ca-setup-env";
+          };
+        };
+
         local-transparent-proxy-setup = {
           enable = true;
           description =

nix/generate-nixos-configuration.nix

@@ -92,6 +92,7 @@ let
             group = prefs.ownerGroup;
           };
           openldap-root-password = { };
+          vault-ssh-ca-setup-env = { };
           postgresql-env = { };
           postgresql-backup-env = { };
           postgresql-initdb-script = { mode = "0500"; };

nix/sops/secrets.yaml

@@ -11,6 +11,7 @@ postgresql-init-script: ""
 postgresql-initdb-script: ENC[AES256_GCM,data:3oX5XkTCDLMZpRjzGXDoZ1Rz51Ociy/DhHd3tXcKoGM2QeuP2oW4FSdTgZAJE16SPRWCpv5KCD4AoC1BLfVzY0W7zB+UbSrC7lMo84DOhsgbKV4VV/LF+xGrsyHkVm1PHmhe7zEWECkdIqWinbDEWuz55vLvu2V29YLo5mtCUqeDqNpnx4a7rUThIW2qQa75Mso3xb3dVXG8vIWKAU6wXGf4rrYiAPc32RYWYxQ8EICcSoZXs+EkPsVge82hBCmAqNfsg8w/bD5wm11rHGYLfcHuQG1FVXE6j19VU2OmwkOP3q4HueRpsKRjlROINWaLUiZIzDxkMC/URKtvxSSUskNUb717DTK//q7rGx2c5n000egFaDkLQuPztCxw3wKLp0Xygv7sfDvulIIAJIdIjLUuIYfGDu/ZLAK5JOPhf6yicLghDpm2OTwWJLJ479d6KBrNF6BwrEK+TnjnCc/c/y39xq/61bKt+6YFOK+rqOLi0WIsI++r4yNWGnvQz9zLuJk2YAZglK5Z5jkcC2sD1oxloOmPunyvdg0OaVw9Lx46Ycygcj8ZhZL5QRCMvIfb9D5PnGMIIDjKKYIwZQU7LcDH8M4AJdG3Z3CHthk4qWa30RJ+DhrquSvpXIpSF9sC2uCorVaRtY42/eW7jbCzLjYPsG+sQKdAw7KzW0VGVZEiP6WLmgnYvM7dUQQ+bODMM7dpY7ycNoHY4YUzZxwdBJR4L25bs680fudHZ9Ynf1/Ed9A6myjbuiA8pAu23GhquOjo8zxnDwHioeSeCdAPTWouX+2vjw2eqeedF1qmQMCUYuaduST3o8dyyzHw0K1xxOB3ptg/eGta09ADNhZlUWXKuMEkIj0lEDi+cXQ3BfH4wUEu6Wgfh4jAaFq63tmXhA/P+RDpIk2qqRTXwBEmEHnKeW5uYRlXgezMVEMAe6UVX1X+c0Ttg+FRQDWFFA1rw5dCV2lUhYFdpwm5jaVp6zAflVyQVm/o97jDO3uq2lJ3lIZ4/gW7IICh4+I6gxKbhz6x37AD1sYFawEDjoFFnMyPugjMrMdyddOg/WDbLbTSTsdj2nYQ2qox8TI6W4wJQ69u7D3fpW6b70WwmwooTKDXnXKi7//N4rf1rYwl5/SKUy3pYgbrb+Z84FiXvFu4zKryE3uZT85mW+irI/67GjOpIgxxgsndLJK8bp/kKyT8gSm99WCZyRhITY6CbBBroe5LzAqnZMt8mVX5lFGNg2kedu+E2+A/qWIpp1+7BId0s4s4ChTR565avFe4V3pHA6beq8dDgZYS6Lb6MsGW69gPW1sLRUtx0F13VvuI9mqBu/pGk357WUmtRE+yZjTONwtWlrWDbosFwmkE7Tph1p6tk99w+++BHiQhqPOAKSagFk3i9c4pX72qLP7F5NV8SZXLAKGTDUkqzhkcjfMgSvXkg+IWfBJSGrTSv+mFNxAhtBG4uvdMwTpAoIskV0nYXlSFbF0lWmm6ncIaNg5nW3dYDozGKX30q2JZ2zGC73jQsoViHBf1rcQNUTFDCZpzBG+xH3kwthWBo/T5/Q16uOTc80rqUaWE6VgWets5y3kjrB6Mr4bAupWtS3MdmywVUE8wGcfpCxejDZwOwFsqbRLQCILbXck8slWLr6wn10fjHGrQBBeyybbtK3pu0niJOxJXyp3J/gD095g1dSbJbj8nReFUX14g2Hj2ohHwOvLES2StZzuzF5hPeqKjES+kEoq5AxQDPJAaOAidT22QkgS9pVBrKCqFb150vYN+/6DG2tRTpTONmcirYgThqW+27G0Qyt1wL94JEVGqJLcRVW7menw=,iv:JWPM/RxtNFnqpjTJEETWgbzyafQ9/gROfWewHG9q06k=,tag:tLnwoOX5vrWo/5Hnst2kTg==,type:str]
 redis-conf: ENC[AES256_GCM,data:VrvlOhsAydb9nCxSUa9hEi1jiPuBA7+skgZFGkL5lt0OXzPeuKNuFXV9hM37rEzl3a/bxtEpQuh2xArH9/g=,iv:wnX8WhTx86NDpBVWyszuvWZuaiY6vbnULvZPEak1+rY=,tag:wp9HACMU7hVWGyngJTIOZQ==,type:str]
 vault-env: ENC[AES256_GCM,data:xrFk3D6+9R6Z3+zokh26S8IyDlh0hekUX/Wqkd50V+Z9GT8A/P9wLv5uQtxDszWxgruUIj2Liy6nGx0eS/rTE/ZYnhCthT5i/id3e8CcTLtOEEOtThNhIwMczboLqbuXOroif08YNnO7rrgoXF/j9b/+xHj7bp3eYb7W6+dWsQOvNXucjKqP2eSf2oe4ecGsuaocy++55GRWZVBDBuDUddidL0xPirA3BImrKxZK5Akhu7eGMec9tIETzKKtjOBPz5WlBOtukbqCaZw=,iv:2n1BNFeU9cZAQ76z9FgAoGH8VrDrFJVrQDdbGenoQNY=,tag:WkPYjYy+dhZiP1HsVeN8Tw==,type:str]
+vault-ssh-ca-setup-env: ENC[AES256_GCM,data:7MxQ23dxWPFtTZlV+k/bWwHFqg2+RS0jMnqCmu6WTVnirI4Kn9c+xa+Vh7nN8TMUXv0t0GVlfZpQ1LhSyBCzZcENoDsrDbtLMKKNHntCpRzf5AVLBBClFPxk9+0ygzDqPcnAt7o5Cw5D2vvCFqcMDz8SAtq5yoVlhrqDe8fU2A8kU/XEmmFd6bZBTlgbsg==,iv:zZUWixogwrPzS6DY5+5Yoziv1AbYPHQeWSPE+rPrq/8=,tag:NO0+9vtqBb/yhHg1MUs/9g==,type:str]
 authelia-conf: ENC[AES256_GCM,data:w8sh62txdWBw44U0WF4m8VRjcPjDLIlMdO/CvTaXSvSeLkBghiOK+kvsinmyYRkXsTMdSKnM36wzztMX3IccK92Doneeni24jna69RKHza72VhJoiU6KcSTIawoplrfrVmt0Kdhfhi1U2K0GnODZq+oq2hKzit0fTO18kFcxZirycVZL299/h0kdM3BCCGzVk5R3i/1tvWV/qDxH9CTW7in2Zsk9elYDJx2ps+F7/eGE3NJ2/umXeFw/7ifhanaynOLc5pcneD7RaTdKrgnVXBQeEfPlFacrUVLErreoWX8n7VyfgIluVkFaDmj4FS8DrQ8iCKqOvS2Tvxt9xKZBOEdTgQd8w5/6mrzkZRbEfFfWuioRfqzjgtqc+irRn9kQnzoizzXknhr9lxY0/MKWSlUFu3x4ixPis1c4EV7tOREmZgPU/rAmkfcixy7MbEkzYABNRXOAl5shLttQW2t6TMqbeYcvZyaNmLpDP44fSZBi7XklpzUW9+nP7uCL2Gw/EnoxDTy2AA+Q81wrHN8HHCcyA8g/A6FRi6xFfKE9b9eFNascqxRsMMM8+pBPEdGCz74zQJMDpjI4Gpnzglc6I02ZILQDHL0miND5rKCX6SN0dWTSb5xnHX534GVbiWjeKt/Wq03iN4n9McTBXBGwmUp9Od6Tl3j1mDOW6ieT2aBucCNAKTonYfy5FEECiokJnMu/HapVV17wuckqH+gtpfEjGeuLiMnJvnwvJO7U1diWVF/8xRiF4ZI3WS15pzSnG+CnXKCyQ/3J,iv:Ka5rQbFjRcbNha6tjcaVQxNqjLPVxeWxAlAg1SstIK0=,tag:zqBRXLbivHkDrZ7HbzeYVg==,type:str]
 authelia-local-users-conf: ENC[AES256_GCM,data:pu/K5UskF+YjXGv7eLi+JthXhUeEe+olmCUXiIXCxtQeU7QIHkhJa+OgGhbVWmTlNZCFZ6YMviNoCQxkPr7JuKEIVw==,iv:LG1GYmlm9/0qFhikAO4P4c3iaOKeber4pfyYHma+Fms=,tag:IU/24K2bh7v8eg4psER+Xg==,type:str]
 authelia-ldap-users-conf: ENC[AES256_GCM,data:LGCUCkwjgDeZ7goDkFsZIzI6IpUEILTwMVvueYoRCDQa8TFdypY8MeuqxNtxWMSu6aFKr64SJc9jk1742iWH203jRA==,iv:5AKNl2/hB3HcnR3RzW3GOaQAYFdjCeP2jXyvMLD3pRA=,tag:w0dSdI4spb0LHBUC4NKl3g==,type:str]
@@ -56,8 +57,8 @@ sops:
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    lastmodified: '2021-09-27T13:58:56Z'
-    mac: ENC[AES256_GCM,data:3RBRDe13+yEuChaCnTDm+qMacfcfpAKsjVMVoHO0CXZQE8lVWu59CWJDVL4Lixn9SEP7azFbLXddOOomvN1pzT6JZ7Vvlgmh5VUoagGtILFAgQwqinmI/LFzYOHZZIfU+e0HXNSc78aoUlNDmPYEeHUegnxlmO5qSypw5JsW3Zc=,iv:HGjSxqWVtnbgJoz1cZcWBwehg3E72YcfikWBqgGCCjo=,tag:EEzKN2HAngDQghmjUDW3wQ==,type:str]
+    lastmodified: '2021-09-27T16:21:02Z'
+    mac: ENC[AES256_GCM,data:ff5WK//FCFLDGqU/GKsGyOIOxIjI4AlgjZBCJkqmC8mN7+THerQ3x/vVBkMuwPpklwuHiaZpPmmlQwea/3acfQIRQKxNPwU6VeG0A8ZiUVBpHzJHjrA0/K4kxw4D3dpYNofxI5jfmQFz/OfCoNthiC0SL+DbARnTL0w0fJfAPkc=,iv:ai3kd13CPo+e3HpimEl1t0Os9sMG58DrABUpgZukZCU=,tag:xX53EePnwQ5RZHBJsRCi7w==,type:str]
     pgp:
     -   created_at: '2021-02-17T15:38:00Z'
         enc: |