temp

modules/features/ssh-certs.nix

@@ -0,0 +1,171 @@
+{ self, inputs, ... }:
+let
+  mkPrincipalArgs = principals:
+    builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
+
+  signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
+    options = {
+      provisioner = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = "admin";
+      };
+      extraPrincipals = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+      };
+      overwrite = lib.mkEnableOption "Overwrite existing cert file?";
+    };
+
+    config = {
+      binName = "sign-ssh-host-cert";
+      package = config.pkgs.step-cli;
+      extraPackages = with config.pkgs; [ hostname iproute2 systemd ];
+      preHook = ''
+        HOSTNAME=$(hostname -s)
+        IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
+          case "$addr" in
+            192.168.1.*/*)
+              printf '%s\n' "''${addr%%/*}"
+              break
+              ;;
+          esac
+        done)
+        echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
+      '';
+      args =
+        [
+          "ssh" "certificate"
+          "--host" "--sign"
+          "--principal" "$HOSTNAME"
+          "--principal" "$IP_ADDRESS"
+        ]
+        ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
+        ++ lib.optionals config.overwrite [ "-f" ]
+        ++ mkPrincipalArgs config.extraPrincipals;
+      postHook = ''
+        systemctl reload-or-restart sshd
+      '';
+    };
+  });
+
+  signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
+    options = {
+      provisioner = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = "admin";
+      };
+      validUsers = lib.mkOption {
+        description = "A list of the user names that this cert will be valid for";
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+      };
+      overwrite = lib.mkEnableOption "Overwrite existing cert file?";
+    };
+
+    config = {
+      binName = "sign-ssh-user-cert";
+      package = config.pkgs.step-cli;
+      args = [ "ssh" "certificate" "--sign" ]
+        ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
+        ++ lib.optionals config.overwrite [ "-f" ]
+        ++ mkPrincipalArgs config.validUsers;
+    };
+  });
+
+  combinedWrapper = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
+    options = {
+      user.enable = lib.myEnableOption "Enable SSH user certs";
+    };
+
+    config = {
+      package = (pkgs.symlinkJoin {
+        name = "ssh-certs";
+        meta.mainProgram = "sign-ssh-host-cert";
+        paths = [
+          (signHostWrapper.apply {
+            inherit pkgs;
+            provisioner = "admin";
+            overwrite = true;
+            # extraPrincipals = [ "home-pc" ];
+          }).wrapper
+        ]
+        ++ lib.optional config.user.enable (signUserWrapper.apply {
+          inherit pkgs;
+          provisioner = "admin";
+          overwrite = true;
+          validUsers = [ "john" "root" "appdaemon" ];
+        }).wrapper;
+      });
+    };
+  });
+in
+{
+  perSystem = { system, self', pkgs, lib, ... }: {
+    packages.ssh-certs = inputs.wrappers.lib.wrapPackage {
+      inherit pkgs;
+      package = (pkgs.symlinkJoin {
+        name = "ssh-certs";
+        meta.mainProgram = "sign-ssh-user-cert";
+        paths = [
+          (signUserWrapper.apply {
+            inherit pkgs;
+            provisioner = "admin";
+            overwrite = true;
+            validUsers = [ "john" "root" "appdaemon" ];
+          }).wrapper
+
+          (signHostWrapper.apply {
+            inherit pkgs;
+            provisioner = "admin";
+            overwrite = true;
+            # extraPrincipals = [ "home-pc" ];
+          }).wrapper
+        ];
+      });
+    };
+  };
+
+  flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: { 
+    home.packages = [
+      inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.myPackage 
+    ];
+  };
+
+  # flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: {
+  #   home.packages = [
+  #     (inputs.self.wrappers.sshCerts.apply {
+  #       inherit pkgs;
+  #       provisioner = "test prov";
+  #     }).wrapper
+  #   ];
+  # };
+
+  # flake.wrappers.sshCerts = { wlib, lib }:
+  #   wlib.wrapModule ({ config, wlib, ... }: {
+  #     options = {
+  #       provisioner = lib.mkOption {
+  #         type = lib.types.str;
+  #         default = "admin";
+  #       };
+  #     };
+  #     config = {
+  #       binName = "admin-cow";
+  #       package = config.pkgs.cowsay;
+  #       args = [ config.provisioner ];
+  #     };
+  # });
+
+    # inputs.wrappers.lib.wrapModule ({ config, lib, ... }: {
+    #   options = {
+    #     provisioner = lib.mkOption {
+    #       type = lib.types.str;
+    #       default = "admin";
+    #     };
+    #   };
+
+    #   config = {
+    #     package = config.pkgs.cowsay;
+    #     args = [ config.provisioner ];
+    #   };
+    # });
+}

modules/features/step-client.nix

@@ -21,78 +21,6 @@ let
       ];
     };
   });
-
-  mkPrincipalArgs = principals:
-    builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
-
-  signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
-    options = {
-      provisioner = lib.mkOption {
-        type = lib.types.nullOr lib.types.str;
-        default = "admin";
-      };
-      extraPrincipals = lib.mkOption {
-        type = lib.types.listOf lib.types.str;
-        default = [ ];
-      };
-      overwrite = lib.mkEnableOption "Overwrite existing cert file?";
-    };
-
-    config = {
-      binName = "sign-ssh-host-cert";
-      package = config.pkgs.step-cli;
-      extraPackages = with config.pkgs; [ hostname iproute2 systemd ];
-      preHook = ''
-        HOSTNAME=$(hostname -s)
-        IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
-          case "$addr" in
-            192.168.1.*/*)
-              printf '%s\n' "''${addr%%/*}"
-              break
-              ;;
-          esac
-        done)
-        echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
-      '';
-      args =
-        [
-          "ssh" "certificate"
-          "--host" "--sign"
-          "--principal" "$HOSTNAME"
-          "--principal" "$IP_ADDRESS"
-        ]
-        ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
-        ++ lib.optionals config.overwrite [ "-f" ]
-        ++ mkPrincipalArgs config.extraPrincipals;
-      postHook = ''
-        systemctl reload-or-restart sshd
-      '';
-    };
-  });
-
-  signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
-    options = {
-      provisioner = lib.mkOption {
-        type = lib.types.nullOr lib.types.str;
-        default = "admin";
-      };
-      validUsers = lib.mkOption {
-        description = "A list of the user names that this cert will be valid for";
-        type = lib.types.listOf lib.types.str;
-        default = [ ];
-      };
-      overwrite = lib.mkEnableOption "Overwrite existing cert file?";
-    };
-
-    config = {
-      binName = "sign-ssh-user-cert";
-      package = config.pkgs.step-cli;
-      args = [ "ssh" "certificate" "--sign" ]
-        ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
-        ++ lib.optionals config.overwrite [ "-f" ]
-        ++ mkPrincipalArgs config.validUsers;
-    };
-  });
 in
 {
   perSystem = { system, self', pkgs, lib, ... }: {

modules/nix-tools/wrappers.nix

@@ -9,4 +9,12 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
+
+  options = {
+    flake = inputs.flake-parts.lib.mkSubmoduleOptions {
+      myWrappers = inputs.nixpkgs.lib.mkOption {
+        default = {};
+      };
+    };
+  };
 }