generating ssh user CA file

keys/ssh_user_ca.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpgz9xYE3K+JeQ7vtDA07iWlp0xTXB+G8MBzX6/RluXs8E6v+ahx90M093EYIOImaW6npWQ0JnFtmZaet5l9Ao=

modules/programs/step-client.nix

@@ -40,7 +40,7 @@ in
     imports = with inputs.self.modules.nixos; [ ssh ];
     # NixOS Config
     config = {
-      ssh.certificates = true;
+      ssh.certificates.enable = true;
       home-manager.sharedModules = with inputs.self.modules; [
         homeManager.step-client
       ];

modules/services/ssh.nix

@@ -3,20 +3,43 @@ let
   userName = "john";
 in
 {
-  flake.modules.nixos.ssh = { pkgs, config, lib, ... }: {
-    options = {
-      ssh.certificates = lib.mkEnableOption "Enable SSH certificates";
+  flake.modules.nixos.ssh = { pkgs, config, lib, ... }:
+  let
+    cfg = config.ssh;
+  in
+  {
+    options.ssh = {
+      certificates = {
+        enable = lib.mkEnableOption "Enable SSH certificates";
+        userCA = lib.mkOption {
+          type = lib.types.path;
+          default = ../../keys/ssh_user_ca.pub;
+        };
+      };
     };
 
     config = {
       services.openssh = {
         enable = true;
         # require public key authentication for better security
-        settings.PasswordAuthentication = false;
-        settings.KbdInteractiveAuthentication = false;
+        settings = lib.mkMerge [
+          {
+            PasswordAuthentication = false;
+            KbdInteractiveAuthentication = false;
+          }
+          (lib.mkIf cfg.certificates.enable {
+            TrustedUserCAKeys = "/etc/ssh/ssh_user_ca.pub";
+            HostKey = "/etc/ssh/ssh_host_ed25519_key";
+            HostCertificate = "/etc/ssh/ssh_host_ed25519_key-cert.pub";
+          })
+        ];
       };
 
-      programs.ssh.knownHosts = lib.mkIf config.ssh.certificates {
+      environment.etc."ssh/ssh_user_ca.pub" = lib.mkIf cfg.certificates.enable {
+        source = cfg.certificates.userCA;
+      };
+
+      programs.ssh.knownHosts = lib.mkIf cfg.certificates.enable {
         "192.168.1.*" = { 
           certAuthority = true;
           publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";