From 0cf3f05df2031625dd10083c61ae330e7bbe3e56 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sun, 29 Mar 2026 15:29:30 -0500
Subject: [PATCH] ssh options into variables

---
 modules/services/ssh.nix | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix
index 916c364..b58cf55 100644
--- a/modules/services/ssh.nix
+++ b/modules/services/ssh.nix
@@ -8,16 +8,29 @@ in
   let
     cfg = config.ssh;
     userCAPath = "ssh/ssh_user_ca.pub";
-    hostKeyFile = "ssh/ssh_host_ed25519_key";
   in
   {
     options.ssh = {
+      configDir = lib.mkOption {
+        description = "String path to the host SSH config directory";
+        type = lib.types.str;
+        default = "/etc/ssh";
+      };
+      hostKey = lib.mkOption {
+        description = "String path to the host private key file";
+        type = lib.types.str;
+        default = "${cfg.configDir}/ssh_host_ed25519_key";
+      };
       certificates = {
         enable = lib.mkEnableOption "Enable SSH host certificates";
         userCA = lib.mkOption {
           type = lib.types.path;
           default = ../../keys/ssh_user_ca.pub;
         };
+        userCAPath = lib.mkOption {
+          type = lib.types.str;
+          default = "${cfg.configDir}/ssh_user_ca.pub";
+        };
       };
     };
 
@@ -29,11 +42,11 @@ in
           {
             PasswordAuthentication = false;
             KbdInteractiveAuthentication = false;
-            HostKey = "/etc/${hostKeyFile}";
+            HostKey = cfg.hostKey;
           }
           (lib.mkIf cfg.certificates.enable {
-            TrustedUserCAKeys = "/etc/${userCAPath}";
-            HostCertificate = "/etc/${hostKeyFile}-cert.pub";
+            TrustedUserCAKeys = cfg.certificates.userCAPath;
+            HostCertificate = "${cfg.hostKey}-cert.pub";
           })
         ];
       };