From 7b0f419454830dc6b22dfe06e8386830690ef1f2 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Wed, 25 Mar 2026 17:55:31 -0500
Subject: [PATCH] WIP CA bootstrap rework

---
 modules/hosts/{janus.nix => janus/default.nix}   | 12 +++++++++---
 {keys => modules/hosts/janus}/root_ca.crt        |  0
 .../john-pc/{john-pc-ubuntu.nix => default.nix}  |  5 +----
 modules/hosts/soteria/soteria.nix                |  2 +-
 modules/programs/step-client.nix                 |  9 ---------
 modules/services/step-ca/mtls.nix                | 16 ----------------
 modules/services/step-ca/ssh-host.nix            |  6 ------
 7 files changed, 11 insertions(+), 39 deletions(-)
 rename modules/hosts/{janus.nix => janus/default.nix} (77%)
 rename {keys => modules/hosts/janus}/root_ca.crt (100%)
 rename modules/hosts/john-pc/{john-pc-ubuntu.nix => default.nix} (94%)

diff --git a/modules/hosts/janus.nix b/modules/hosts/janus/default.nix
similarity index 77%
rename from modules/hosts/janus.nix
rename to modules/hosts/janus/default.nix
index 05a9016..f0d6d0a 100644
--- a/modules/hosts/janus.nix
+++ b/modules/hosts/janus/default.nix
@@ -2,9 +2,16 @@
 let
   username = "john";
   hostname = "janus";
-  caURL = "https://janus.john-stream.com/";
 in
 {
+  flake.modules.homeManager.janus-ca = { config, ... }: {
+    home.file.".step/config/defaults.json".text = builtins.toJSON {
+      "ca-url" = "https://janus.john-stream.com/";
+      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
+      root = (builtins.readFile ./root_ca.crt);
+    };
+  };
+
   flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
     modules = with inputs.self.modules; [
       nixos.lxc
@@ -20,12 +27,10 @@ in
         networking.hostName = hostname;
         step-ssh-host = {
           hostname = hostname;
-          caURL = caURL;
         };
         mtls = {
           enable = true;
           subject = hostname;
-          caURL = caURL;
           san = [
             "${hostname}.john-stream.com"
             "192.168.1.244"
@@ -36,6 +41,7 @@ in
           imports = with inputs.self.modules.homeManager; [
             sops
             step-ssh-user
+            janus-ca
           ];
           
           shell.program = "zsh";
diff --git a/keys/root_ca.crt b/modules/hosts/janus/root_ca.crt
similarity index 100%
rename from keys/root_ca.crt
rename to modules/hosts/janus/root_ca.crt
diff --git a/modules/hosts/john-pc/john-pc-ubuntu.nix b/modules/hosts/john-pc/default.nix
similarity index 94%
rename from modules/hosts/john-pc/john-pc-ubuntu.nix
rename to modules/hosts/john-pc/default.nix
index 3aed449..81416fa 100644
--- a/modules/hosts/john-pc/john-pc-ubuntu.nix
+++ b/modules/hosts/john-pc/default.nix
@@ -19,6 +19,7 @@ in
       rebuild
       john
       mysops
+      janus-ca
       step-ssh-user
       mtls
       restic
@@ -91,10 +92,6 @@ in
     mtls = {
       enable = true;
       subject = hostname;
-      ca = {
-        url = "https://janus.john-stream.com/";
-        fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
-      };
       san = [
         "${hostname}"
         "192.168.1.85"
diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix
index aa767b7..734b2e0 100644
--- a/modules/hosts/soteria/soteria.nix
+++ b/modules/hosts/soteria/soteria.nix
@@ -24,7 +24,6 @@ in
         ];
         step-ssh-host = {
           hostname = hostname;
-          caURL = caURL;
         };
 
         home-manager.users."${username}" = {
@@ -40,6 +39,7 @@ in
     imports = with inputs.self.modules; [
       homeManager.rebuild
       homeManager.mysops
+      homeManager.janus-ca
       homeManager.mtls
       homeManager.docker
     ];
diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix
index 4c05d2f..2cdabcb 100644
--- a/modules/programs/step-client.nix
+++ b/modules/programs/step-client.nix
@@ -17,10 +17,6 @@ in
   {
     options.step-ssh-user = {
       enable = lib.mkEnableOption "opionated step client config for SSH certs";
-      caURL = lib.mkOption {
-        type = lib.types.str;
-        default = "${caURL}";
-      };
       fingerprint = lib.mkOption {
         type = lib.types.str;
         default = "${stepFingerprint}";
@@ -48,11 +44,6 @@ in
     };
     config = lib.mkIf cfg.enable {
       home.file."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source;
-      home.file.".step/config/defaults.json".text = builtins.toJSON {
-        "ca-url" = cfg.caURL;
-        fingerprint = cfg.fingerprint;
-        root = "${config.home.homeDirectory}/${cfg.rootCertFile.path}";
-      };
       sops.secrets."janus/admin_jwk".mode = "0400";
       home.packages = with pkgs; [
         (writeShellScriptBin "sign-ssh-cert" ''
diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix
index 31a1030..e083f00 100644
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -3,14 +3,6 @@ let
   # Options that will be in common between
   opts = {
     enable = lib.mkEnableOption "Enable mTLS";
-    ca = {
-      url = lib.mkOption {
-        type = lib.types.str;
-      };
-      fingerprint = lib.mkOption {
-        type = lib.types.str;
-      };
-    };
     subject = lib.mkOption {
       description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
       type = lib.types.str;
@@ -221,7 +213,6 @@ in
       tlsKey = "${certDir}/${cfg.keyFilename}";
       tlsCert = "${certDir}/${cfg.certFilename}";
       mtlsBundle = "${certDir}/${cfg.bundleFilename}";
-      rootCA = "${certDir}/root_ca.crt";
       sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
     in
     {
@@ -264,7 +255,6 @@ in
       tlsKey = "${certDir}/${cfg.keyFilename}";
       tlsCert = "${certDir}/${cfg.certFilename}";
       mtlsBundle = "${certDir}/${cfg.bundleFilename}";
-      rootCA = "${certDir}/root_ca.crt";
       sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
     in
     {
@@ -277,12 +267,6 @@ in
       };
 
       config = {
-        home.file.".step/config/defaults.json".text = builtins.toJSON {
-          "ca-url" = cfg.ca.url;
-          fingerprint = cfg.ca.fingerprint;
-          root = "${cfg.certDir}/root_ca.crt";
-        };
-
         home.packages = with pkgs; lib.optionals cfg.enable [
           step-cli
           (writeShellScriptBin "mtls-generate" ''
diff --git a/modules/services/step-ca/ssh-host.nix b/modules/services/step-ca/ssh-host.nix
index a936895..33e9c22 100644
--- a/modules/services/step-ca/ssh-host.nix
+++ b/modules/services/step-ca/ssh-host.nix
@@ -14,10 +14,6 @@
         description = "Networking host name";
         type = lib.types.str;
       };
-      caURL = lib.mkOption {
-        description = "URL for the certificate authority";
-        type = lib.types.str;
-      };
       rootCertFile = {
         path = lib.mkOption {
           description = "String path to where the root_ca.crt file will be stored for the user";
@@ -55,8 +51,6 @@
         (writeShellScriptBin "ssh-host-cert-renew" ''
           ${lib.getExe pkgs.step-cli} ssh certificate \
           --host --sign \
-          --root "${rootCertPath}" \
-          --ca-url ${cfg.caURL} \
           --provisioner "${cfg.provisioner}" \
           --provisioner-password-file "${provisionerPasswordPath}" \
           --principal "${cfg.hostname}" \