sign-ssh-user-cert

2026-04-19 18:54:09 -05:00
parent 03965917ea
commit aace1776d5
4 changed files with 30 additions and 43 deletions
@@ -69,6 +69,30 @@ let
      '';
    };
  });
+
+  signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
+    options = {
+      provisioner = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = "admin";
+      };
+      validUsers = lib.mkOption {
+        description = "A list of the user names that this cert will be valid for";
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+      };
+      overwrite = lib.mkEnableOption "Overwrite existing cert file?";
+    };
+
+    config = {
+      binName = "sign-ssh-user-cert";
+      package = config.pkgs.step-cli;
+      args = [ "ssh" "certificate" "--sign" ]
+        ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
+        ++ lib.optionals config.overwrite [ "-f" ]
+        ++ mkPrincipalArgs config.validUsers;
+    };
+  });
 in
 {
  perSystem = { system, self', pkgs, lib, ... }: {
@@ -85,6 +109,12 @@ in
            overwrite = true;
            # extraPrincipals = [ "home-pc" ];
          }).wrapper
+          (signUserWrapper.apply {
+            inherit pkgs;
+            provisioner = "admin";
+            overwrite = true;
+            validUsers = [ "john" "user" "appdaemon" ];
+          }).wrapper
        ];
      });
    };