pruning

modules/hosts/john-pc/default.nix

@@ -10,7 +10,6 @@ in
   let
     flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
     certDir = "${config.mtls.certDir}";
-    CACert = "${certDir}/root_ca.crt";
     mtlsBundle = "${certDir}/${config.mtls.bundleFilename}";
     resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
   in

modules/programs/step-client.nix

@@ -21,18 +21,6 @@ in
         type = lib.types.str;
         default = "${stepFingerprint}";
       };
-      rootCertFile = {
-        path = lib.mkOption {
-          type = lib.types.str;
-          description = "String path to where the root_ca.crt file will be stored for the user";
-          default = ".step/certs/root_ca.crt";
-        };
-        source = lib.mkOption {
-          type = lib.types.path;
-          description = "Nix path to the root cert file within the repo";
-          default = ../../keys/root_ca.crt;
-        };
-      };
       provisioner = lib.mkOption {
         type = lib.types.str;
         default = "admin";
@@ -43,7 +31,6 @@ in
       };
     };
     config = lib.mkIf cfg.enable {
-      home.file."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source;
       sops.secrets."janus/admin_jwk".mode = "0400";
       home.packages = with pkgs; [
         (writeShellScriptBin "sign-ssh-cert" ''

modules/services/step-ca/ssh-host.nix

@@ -2,7 +2,6 @@
   flake.modules.nixos.step-ssh-host = { config, pkgs, lib, ... }:
   let
     cfg = config.step-ssh-host;
-    rootCertPath = "/etc/step/certs/root_ca.crt";
     provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
     sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
     sshCertPath = "${sshKeyPath}-cert.pub";
@@ -11,21 +10,9 @@
     # NixOS Options
     options.step-ssh-host = {
       hostname = lib.mkOption {
-        description = "Networking host name";
+        description = "Networking host name to register with the CA";
         type = lib.types.str;
       };
-      rootCertFile = {
-        path = lib.mkOption {
-          description = "String path to where the root_ca.crt file will be stored for the user";
-          type = lib.types.str;
-          default = "step/certs/root_ca.crt";
-        };
-        source = lib.mkOption {
-          description = "Nix path to the root cert file within the repo";
-          type = lib.types.path;
-          default = ../../../keys/root_ca.crt;
-        };
-      };
       provisioner = lib.mkOption {
         description = "Provisioner inside Step CA to use for the SSH certificates";
         type = lib.types.str;
@@ -34,6 +21,7 @@
     };
 
     imports = with inputs.self.modules.nixos; [ ssh ];
+
     # NixOS Config
     config = {
       ssh.certificates.enable = true;
@@ -44,8 +32,6 @@
       };
       networking.nameservers = [ "192.168.1.150" ];
       networking.dhcpcd.extraConfig = "nohook resolv.conf";
-
-      environment.etc."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source;
       environment.systemPackages = with pkgs; [
         step-cli
         (writeShellScriptBin "ssh-host-cert-renew" ''