nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions
machines/nix/modules/terranix/vault/ssh_secret_backend.nix

128 lines
5.2 KiB
Nix
Raw Blame History

{ lib, config, ... }:
let
cfg = config.khscodes.vault;
in
{
options.khscodes.vault = {
ssh_secret_backend_role = lib.mkOption {
type = lib.types.attrsOf (
lib.khscodes.mkSubmodule {
options = {
name = lib.mkOption {
type = lib.types.str;
description = "Specifies the name of the role to create.";
};
backend = lib.mkOption {
type = lib.types.str;
description = "The path where the SSH secret backend is mounted.";
};
key_type = lib.mkOption {
type = lib.types.enum [
"otp"
"dynamic"
"ca"
];
description = "Specifies the type of credentials generated by this role.";
};
allow_bare_domains = lib.mkOption {
type = lib.types.nullOr (lib.types.bool);
description = "Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.";
default = false;
};
allow_host_certificates = lib.mkOption {
type = lib.types.nullOr (lib.types.bool);
description = "Specifies if certificates are allowed to be signed for use as a 'host'.";
default = false;
};
allow_subdomains = lib.mkOption {
type = lib.types.nullOr (lib.types.bool);
description = "Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.";
default = false;
};
allow_user_certificates = lib.mkOption {
type = lib.types.nullOr (lib.types.bool);
description = "Specifies if certificates are allowed to be signed for use as a 'user'.";
default = false;
};
allowed_critical_options = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "Specifies a list of critical options that certificates can have when signed.";
default = [ ];
};
allowed_users = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "Specifies a list of usernames that are to be allowed, only if certain usernames are to be allowed.";
default = [ ];
};
default_user = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Specifies the default username for which a credential will be generated.";
default = null;
};
allowed_domains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "The list of domains for which a client can request a host certificate";
default = [ ];
};
allowed_user_key_config = lib.mkOption {
type = lib.types.listOf (
lib.khscodes.mkSubmodule {
options = {
type = lib.mkOption {
type = lib.types.enum [
"rsa"
"ecdsa"
"ec"
"dsa"
"ed25519"
"ssh-rsa"
"ssh-dss"
"ssh-ed25519"
"ecdsa-sha2-nistp256"
"ecdsa-sha2-nistp384"
"ecdsa-sha2-nistp521"
];
description = "The SSH public key type.";
};
lengths = lib.mkOption {
type = lib.types.listOf lib.types.int;
description = "A list of allowed key lengths as integers. For key types that do not support setting the length a value of [0] should be used.";
};
};
description = "allowed_user_key_config";
}
);
description = "Set of configuration blocks to define allowed user key configuration, like key type and their lengths.";
};
};
description = "vault_ssh_secret_backend_role";
}
);
description = "Defines an ssh secret backend";
default = { };
};
};
config = lib.mkIf cfg.enable {
resource.vault_ssh_secret_backend_role = lib.mapAttrs' (name: value: {
name = lib.khscodes.sanitize-terraform-name name;
value = {
inherit (value)
name
backend
key_type
allow_bare_domains
allow_host_certificates
allow_subdomains
allow_user_certificates
default_user
allowed_user_key_config
;
allowed_critical_options = lib.strings.concatStringsSep "," (
lib.lists.unique value.allowed_critical_options
);
allowed_domains = lib.strings.concatStringsSep "," (lib.lists.unique value.allowed_domains);
allowed_users = lib.strings.concatStringsSep "," (lib.lists.unique value.allowed_users);
};
}) cfg.ssh_secret_backend_role;
};
}
Reference in a new issue View git blame Copy permalink