From aace1776d5f6ad6e8083e4489fd665298c3a51a1 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Sun, 19 Apr 2026 18:54:09 -0500 Subject: [PATCH] sign-ssh-user-cert --- modules/features/step-client.nix | 30 +++++++++++++++++++++++++ modules/hosts/janus/default.nix | 1 - modules/hosts/john-pc/default.nix | 5 ----- modules/programs/step-client.nix | 37 ------------------------------- 4 files changed, 30 insertions(+), 43 deletions(-) delete mode 100644 modules/programs/step-client.nix diff --git a/modules/features/step-client.nix b/modules/features/step-client.nix index 79d6063..cb03103 100644 --- a/modules/features/step-client.nix +++ b/modules/features/step-client.nix @@ -69,6 +69,30 @@ let ''; }; }); + + signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { + options = { + provisioner = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = "admin"; + }; + validUsers = lib.mkOption { + description = "A list of the user names that this cert will be valid for"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + overwrite = lib.mkEnableOption "Overwrite existing cert file?"; + }; + + config = { + binName = "sign-ssh-user-cert"; + package = config.pkgs.step-cli; + args = [ "ssh" "certificate" "--sign" ] + ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ] + ++ lib.optionals config.overwrite [ "-f" ] + ++ mkPrincipalArgs config.validUsers; + }; + }); in { perSystem = { system, self', pkgs, lib, ... }: { @@ -85,6 +109,12 @@ in overwrite = true; # extraPrincipals = [ "home-pc" ]; }).wrapper + (signUserWrapper.apply { + inherit pkgs; + provisioner = "admin"; + overwrite = true; + validUsers = [ "john" "user" "appdaemon" ]; + }).wrapper ]; }); }; diff --git a/modules/hosts/janus/default.nix b/modules/hosts/janus/default.nix index 1b46cef..f48d313 100644 --- a/modules/hosts/janus/default.nix +++ b/modules/hosts/janus/default.nix @@ -86,7 +86,6 @@ in home-manager.users."${username}" = { imports = with inputs.self.modules.homeManager; [ mysops - step-ssh-user ]; shell.program = "zsh"; docker.enable = true; diff --git a/modules/hosts/john-pc/default.nix b/modules/hosts/john-pc/default.nix index f3c2c27..7ab4209 100644 --- a/modules/hosts/john-pc/default.nix +++ b/modules/hosts/john-pc/default.nix @@ -58,11 +58,6 @@ in homeManagerFlakeDir = flakeDir; docker.enable = true; - step-ssh-user = { - enable = true; - principals = ["root" "${username}" "appdaemon"]; - provisioner = "admin"; - }; ssh = { certificates.enable = true; knownHosts = [ diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix deleted file mode 100644 index 2a50df0..0000000 --- a/modules/programs/step-client.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ self, inputs, ... }: { - # - # Home Manager Module - # - flake.modules.homeManager.step-ssh-user = { config, pkgs, lib, ... }: - let - cfg = config.step-ssh-user; - firstPrincipal = lib.head cfg.principals; - principalArgs = lib.concatMapStringsSep " " - (principal: "--principal \"${principal}\"") cfg.principals; - in - { - options.step-ssh-user = { - enable = lib.mkEnableOption "opionated step client config for SSH certs"; - provisioner = lib.mkOption { - type = lib.types.str; - default = "admin"; - }; - principals = lib.mkOption { - type = lib.types.listOf lib.types.str; - }; - }; - config = lib.mkIf cfg.enable { - sops.secrets."janus/admin_jwk".mode = "0400"; - home.packages = with pkgs; [ - (writeShellScriptBin "sign-ssh-cert" '' - ${lib.getExe pkgs.step-cli} ssh certificate \ - --sign \ - ${principalArgs} \ - --provisioner "${cfg.provisioner}" \ - --provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \ - "${firstPrincipal}" "${config.ssh.identityFile}.pub" - '') - ]; - }; - }; -}