step-ssh-user

2026-03-15 16:15:27 -05:00
parent 2ace9cd2dd
commit b3bcfdcfcb
2 changed files with 27 additions and 28 deletions
--- a/modules/programs/step-client.nix
+++ b/modules/programs/step-client.nix
@@ -71,15 +71,15 @@ in
  #
  # Home Manager Module
  #
-  flake.modules.homeManager.step-client = { config, pkgs, lib, ... }:
+  flake.modules.homeManager.step-ssh-user = { config, pkgs, lib, ... }:
  let
-    cfg = config.step-client;
+    cfg = config.step-ssh-user;
    firstPrincipal = lib.head cfg.principals;
-    principalArgs = lib.concatMapStrings
-      (principal: "--principal ${principal}") cfg.principals;
+    principalArgs = lib.concatMapStringsSep " "
+      (principal: "--principal \"${principal}\"") cfg.principals;
  in
  {
-    options.step-client = {
+    options.step-ssh-user = {
      enable = lib.mkEnableOption "opionated step client config for SSH certs";
      caURL = lib.mkOption {
        type = lib.types.str;
@@ -92,7 +92,7 @@ in
      rootCertFile = {
        path = lib.mkOption {
          type = lib.types.str;
-          description = "Path to where the root_ca.crt file will be stored for the user";
+          description = "String path to where the root_ca.crt file will be stored for the user";
          default = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
        };
        source = lib.mkOption {
@@ -101,7 +101,7 @@ in
          default = ../../keys/root_ca.crt;
        };
      };
-      sshHostProvisioner = lib.mkOption {
+      provisioner = lib.mkOption {
        type = lib.types.str;
        default = "admin";
      };
@@ -109,27 +109,23 @@ in
        type = lib.types.listOf lib.types.str;
        default = [ ];
      };
-      publicKeyFile = lib.mkOption {
-        type = lib.types.str;
-        default = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
-      };
    };
    config = lib.mkIf cfg.enable {
-      home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile;
+      home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile.source;
      home.file.".step/config/defaults.json".text = builtins.toJSON {
        "ca-url" = cfg.caURL;
        fingerprint = cfg.fingerprint;
        root = "${cfg.rootCertFile.path}";
      };
      sops.secrets."janus/admin_jwk".mode = "0400";
-      home.packages = lib.optionals cfg.certificates.enable [
-        (pkgs.writeShellScriptBin "sign-ssh-cert" ''
+      home.packages = with pkgs; [
+        (writeShellScriptBin "sign-ssh-cert" ''
          ${lib.getExe pkgs.step-cli} ssh certificate \
-          --sign \ 
+          --sign \
          ${principalArgs} \
-          --provisioner "${cfg.sshHostProvisioner}" \
+          --provisioner "${cfg.provisioner}" \
          --provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \
-          "${firstPrincipal}" "${cfg.publicKeyFile}"
+          "${firstPrincipal}" "${config.ssh.IdentityFile}.pub"
        '')
      ];
    };