diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3cb9c338..6476555e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,20 +33,6 @@ jobs: run: go mod download - name: Build run: go build -v -o /dev/null - nix-build: - name: Nix Build - runs-on: ubuntu-24.04 - steps: - - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - - name: Check Nix flake inputs - uses: DeterminateSystems/flake-checker-action@3164002371bc90729c68af0e24d5aacf20d7c9f6 # v12 - - name: Install Nix - uses: DeterminateSystems/nix-installer-action@90bb610b90bf290cad97484ba341453bd1cbefea # v19 - - name: Build - run: nix build . # Run integration tests test: needs: build diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml deleted file mode 100644 index 1ef4d67d..00000000 --- a/.github/workflows/weekly.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Update flake.lock - -on: - workflow_dispatch: # allows manual triggering - schedule: - - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00 - -permissions: {} - -jobs: - lockfile: - name: Update flake.lock - runs-on: ubuntu-24.04 - permissions: - contents: write - pull-requests: write - steps: - - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - - name: Install Nix - uses: DeterminateSystems/nix-installer-action@90bb610b90bf290cad97484ba341453bd1cbefea # v19 - - name: Update flake.lock - uses: DeterminateSystems/update-flake-lock@c5930b397a673a70ca70be06020e943aeac310a1 # v27 - with: - pr-title: "Update flake.lock" - pr-labels: | - dependencies - automated diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index aad3b012..b1e6c39b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -8,14 +8,6 @@ OPKSSH is part of [the OpenPubkey project.](https://github.com/openpubkey/openpu Whether you're addressing an open issue (or filing a new one), fixing a typo in our documentation, adding to core capabilities of the project, or introducing a new use case, anyone from the community is welcome here at OpenPubkey. -### Development environment - -If you’re using Nix with flakes support, you can enter a _barebones_ -development shell by running `nix develop` in the repo. You can also -easily test that `opkssh` builds by running `nix build`. The binary -will be under `./result/bin`. If you just want to run `opkssh`, you -can do so with `nix run`. - ### Include Licensing at the Top of Each File At the top of each file in your commit, please ensure the following is captured in a comment: @@ -85,19 +77,6 @@ Our automated PR checks verify that: 1. All unit tests pass, which can be done locally by running `go test ./...`. 2. The code has been formatted correctly, according to `go fmt`. 3. There are no obvious errors, according to `go vet`. - 4. `opkssh` can be built with Nix. - 5. The `nixpkgs` Nix flake input isn’t stale. - -#### Nix specifics - -Technically speaking, the `flake.nix` doesn’t have to be updated _at -all_; however, it’s generally a good idea to keep the `nixpkgs` input -relatively up-to-date to pull in the latest security updates. The -pull request continuous integration checks are configured to try and -build `opkssh` à la `nix build` and also check that the `nixpkgs` -flake input isn’t stale. If `opkssh` fails to build, ensure that you -can build it manually in the Nix develop shell. If the Nix flake -input check fails, try running `nix flake update nixpkgs`. ## Building and Testing @@ -138,7 +117,7 @@ Then run the integration tests with: export OS_TYPE="ubuntu" go test -tags=integration ./test/integration -timeout=15m -count=1 -v ``` - + or ```bash diff --git a/README.md b/README.md index 5ec2ad14..2b9476ae 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,14 @@ To install with [Chocolatey](https://chocolatey.org/install) run: choco install opkssh -y ``` +### Nix Install + +Use the [opkssh nixpkg](https://search.nixos.org/packages?channel=unstable&show=opkssh&query=opkssh) as normal, or test it via: + +```bash +nix-shell -p opkssh +``` + ### Manual Install (Windows, Linux, macOS) To install manually, download the opkssh binary and run it: @@ -231,7 +239,7 @@ sudo chown root:opksshuser /etc/opk/providers sudo chmod 640 /etc/opk/providers ``` -## `/etc/opk/auth_id` +### `/etc/opk/auth_id` `/etc/opk/auth_id` is the global authorized identities file. This is a server wide file where policies can be configured to determine which identities can assume what linux user accounts. @@ -315,6 +323,40 @@ AuthorizedKeysCommand /usr/local/bin/opkssh verify %u %k %t AuthorizedKeysCommandUser opksshuser ``` +## Server Configuration (NixOS) + +On NixOS, you can configure the SSH daemon by **including** the following lines to your config: + +```nix +{ ... }: + +{ + services.opkssh = { + enable = true; + + providers = { + google = { + issuer = "https://accounts.google.com"; + clientId = + "206584157355-7cbe4s640tvm7naoludob4ut1emii7sf.apps.googleusercontent.com"; + lifetime = "24h"; + }; + }; + + authorizations = [ + { + user = "YOUR_USERNAME"; + principal = "YOUR_GMAIL"; + issuer = "https://accounts.google.com"; + } + ]; + }; +} +``` + +See [search.nixos.org](https://search.nixos.org/options?channel=unstable&query=services.opkssh) for +all available configuration options. + ## Custom OpenID Providers (Authentik, Authelia, Keycloak, Zitadel...) To log in using a custom OpenID Provider, run: @@ -524,4 +566,4 @@ For integration tests run: - [CONTRIBUTING.md](https://github.com/openpubkey/opkssh/blob/main/CONTRIBUTING.md) Guide to contributing to opkssh (includes developer help). - [docs/gitlab-selfhosted.md](docs/gitlab-selfhosted.md) Guide on configuring and using a self hosted GitLab instance with opkssh. - [docs/paramiko.md](docs/paramiko.md) Guide to using the python SSH paramiko library with opkssh. -- [docs/putty.md](docs/putty.md) Guide to using PuTTY with opkssh. \ No newline at end of file +- [docs/putty.md](docs/putty.md) Guide to using PuTTY with opkssh. diff --git a/flake.lock b/flake.lock deleted file mode 100644 index 9c5dcaa6..00000000 --- a/flake.lock +++ /dev/null @@ -1,27 +0,0 @@ -{ - "nodes": { - "nixpkgs": { - "locked": { - "lastModified": 1746422338, - "narHash": "sha256-NTtKOTLQv6dPfRe00OGSywg37A1FYqldS6xiNmqBUYc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5b35d248e9206c1f3baf8de6a7683fee126364aa", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake.nix b/flake.nix deleted file mode 100644 index 3c56a22e..00000000 --- a/flake.nix +++ /dev/null @@ -1,113 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -{ - description = "Open Pubkey for SSH"; - - inputs = { - nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-24.11"; - }; - - outputs = { self, nixpkgs }: - let - supported-systems = [ - "x86_64-linux" - "aarch64-linux" - "x86_64-darwin" - "aarch64-darwin" - ]; - - # Helper to provide system-specific attributes - forSupportedSystems = f: nixpkgs.lib.genAttrs supported-systems (system: f { - pkgs = import nixpkgs { inherit system; }; - }); - in - { - packages = forSupportedSystems ({ pkgs }: rec { - opkssh = pkgs.buildGoModule { - name = "opkssh"; - src = self; - vendorHash = "sha256-AdQtYqhwhkvvr9bbSWylACg75nC/K7hxb13bP5itusM="; - goSum = ./go.sum; - meta.mainProgram = "opkssh"; - }; - default = opkssh; - }); - - overlays.default = final: prev: { - opkssh = self.packages.${final.stdenv.system}.opkssh; - }; - - nixosModules = { - server = { config, pkgs, lib, ... }: let cfg = config.programs.opkssh; in { - options.programs.opkssh = { - enable = lib.options.mkEnableOption "opkssh"; - package = lib.options.mkOption { - default = pkgs.opkssh; - type = lib.types.package; - }; - command.enable = lib.options.mkEnableOption "opkssh command"; - config = { - # TODO: Replace these options with submodules. - authorization_rules' = lib.options.mkOption { - default = ""; - type = lib.types.lines; - }; - providers' = lib.options.mkOption { - default = '' - https://accounts.google.com 206584157355-7cbe4s640tvm7naoludob4ut1emii7sf.apps.googleusercontent.com 24h - https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0 096ce0a3-5e72-4da8-9c86-12924b294a01 24h - https://gitlab.com 8d8b7024572c7fd501f64374dec6bba37096783dfcd792b3988104be08cb6923 24h - ''; - type = lib.types.lines; - }; - }; - }; - - config = lib.modules.mkIf cfg.enable { - # This config follows the install-linux.sh procedure. - users = { - groups.opkssh = {}; - users.opkssh = { - isSystemUser = true; - group = config.users.groups.opkssh.name; - }; - }; - - environment = { - systemPackages = lib.lists.optional cfg.command.enable cfg.package; - etc = let inherit (config.users) users groups; in { - "opk/auth_id" = { - user = users.opkssh.name; - group = groups.opkssh.name; - mode = "0640"; - text = cfg.config.authorization_rules'; - }; - "opk/providers" = { - user = users.opkssh.name; - group = groups.opkssh.name; - mode = "0640"; - text = cfg.config.providers'; - }; - }; - }; - - security.wrappers.opkssh = let inherit (config.users) users groups; in { - owner = users.root.name; - group = groups.root.name; - source = lib.meta.getExe cfg.package; - }; - - services.openssh = { - # Command path has to be hardcoded unfortunately. - authorizedKeysCommand = "/run/wrappers/bin/opkssh verify %u %k %t"; - authorizedKeysCommandUser = config.users.users.opkssh.name; - }; - - systemd.tmpfiles.rules = let inherit (config.users) users groups; in [ - "f /var/log/opkssh.log 660 ${users.root.name} ${groups.opkssh.name} -" - ]; - }; - }; - }; - }; -}