From 832149305b585e646b11e5417caad0a03035cf2a Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sun, 15 Mar 2026 20:14:23 -0500
Subject: [PATCH] commonized root CA pattern

---
 modules/programs/step-client.nix      |  4 ++--
 modules/services/step-ca/ssh-host.nix | 17 ++++++++++++-----
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix
index c28f3b6..5fa0c91 100644
--- a/modules/programs/step-client.nix
+++ b/modules/programs/step-client.nix
@@ -29,7 +29,7 @@ in
         path = lib.mkOption {
           type = lib.types.str;
           description = "String path to where the root_ca.crt file will be stored for the user";
-          default = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
+          default = ".step/certs/root_ca.crt";
         };
         source = lib.mkOption {
           type = lib.types.path;
@@ -47,7 +47,7 @@ in
       };
     };
     config = lib.mkIf cfg.enable {
-      home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile.source;
+      home.file."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source;
       home.file.".step/config/defaults.json".text = builtins.toJSON {
         "ca-url" = cfg.caURL;
         fingerprint = cfg.fingerprint;
diff --git a/modules/services/step-ca/ssh-host.nix b/modules/services/step-ca/ssh-host.nix
index a29ee37..3367aab 100644
--- a/modules/services/step-ca/ssh-host.nix
+++ b/modules/services/step-ca/ssh-host.nix
@@ -22,10 +22,17 @@ in
         type = lib.types.str;
         default = "${caURL}";
       };
-      rootCertFile = lib.mkOption {
-        type = lib.types.path;
-        description = "Public Step root CA certificate file from the repo.";
-        default = ../../../keys/root_ca.crt;
+      rootCertFile = {
+        path = lib.mkOption {
+          type = lib.types.str;
+          description = "String path to where the root_ca.crt file will be stored for the user";
+          default = "step/certs/root_ca.crt";
+        };
+        source = lib.mkOption {
+          type = lib.types.path;
+          description = "Nix path to the root cert file within the repo";
+          default = ../../../keys/root_ca.crt;
+        };
       };
       sshHostProvisioner = lib.mkOption {
         type = lib.types.str;
@@ -45,7 +52,7 @@ in
       networking.nameservers = [ "192.168.1.150" ];
       networking.dhcpcd.extraConfig = "nohook resolv.conf";
 
-      environment.etc."step/certs/root_ca.crt".source = cfg.rootCertFile;
+      environment.etc."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source;
       environment.systemPackages = with pkgs; [
         step-cli
         (writeShellScriptBin "ssh-host-cert-renew" ''