add root cert for vnopn router

2024-08-12 14:38:53 -07:00
parent 2740141b2b
commit f248b0cb52
3 changed files with 24 additions and 5 deletions
--- a/common/module.nix
+++ b/common/module.nix
@@ -5,6 +5,7 @@ in {
  options = {
    vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
    vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
+    vacu.rootCAs = mkOption { type = types.listOf types.str; };
  };
  config = {
    vacu.packages = with pkgs; [
@@ -78,11 +79,22 @@ in {
      "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
      "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU="
    ];
-    assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (name: data: {
-      assertion = (data.publicKey == null && data.publicKeyFile != null) ||
-                  (data.publicKey != null && data.publicKeyFile == null);
-      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-    });
+    vacu.rootCAs = [
+      ''
+        -----BEGIN CERTIFICATE-----
+        MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
+        A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
+        MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
+        hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
+        AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
+        MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
+        BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
+        CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
+        AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
+        -----END CERTIFICATE-----
+      ''
+    ];
+
    vacu.ssh.authorizedKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
--- a/common/nixos.nix
+++ b/common/nixos.nix
@@ -87,6 +87,8 @@

    programs.ssh.extraConfig = config.vacu.ssh.config;

+    security.pki.certificates = config.vacu.rootCAs;
+
    # commands.nix
    environment.pathsToLink = [ "/share/vacufuncs" ];
    vacu.shell.functionsDir = "/run/current-system/sw/share/vacufuncs";
--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -107,5 +107,10 @@ in {
        }
      '';
    };
+    config.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (name: data: {
+      assertion = (data.publicKey == null && data.publicKeyFile != null) ||
+                  (data.publicKey != null && data.publicKeyFile == null);
+      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
+    });
  };
 }