From dac6b704456a42f643dc5b80c00b17d124d0e28d Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sun, 19 Apr 2026 17:31:38 -0500
Subject: [PATCH] sign-ssh-host-cert

---
 modules/features/step-client.nix | 59 ++++++++++++++++++++++++++++----
 1 file changed, 52 insertions(+), 7 deletions(-)

diff --git a/modules/features/step-client.nix b/modules/features/step-client.nix
index df6107e..ef46a7a 100644
--- a/modules/features/step-client.nix
+++ b/modules/features/step-client.nix
@@ -12,8 +12,8 @@ let
     };
 
     config = {
-      package = config.pkgs.step-cli; # (1)!
       binName = "bootstrap";
+      package = config.pkgs.step-cli; # (1)!
       args = [
         "ca" "bootstrap"
         "--ca-url" config.caURL
@@ -21,6 +21,51 @@ let
       ];
     };
   });
+
+  mkPrincipalArgs = principals:
+    builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
+
+  signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
+    options = {
+      provisioner = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = "admin";
+      };
+      extraPrincipals = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+      };
+      overwrite = lib.mkEnableOption "Overwrite existing cert file?";
+    };
+
+    config = {
+      binName = "sign-ssh-host-cert";
+      package = config.pkgs.step-cli;
+      extraPackages = with config.pkgs; [ hostname iproute2 ];
+      preHook = ''
+        HOSTNAME=$(hostname -s)
+        IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
+          case "$addr" in
+            192.168.1.*/*)
+              printf '%s\n' "''${addr%%/*}"
+              break
+              ;;
+          esac
+        done)
+        echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
+      '';
+      args =
+        [
+          "ssh" "certificate"
+          "--host" "--sign"
+          "--principal" "$HOSTNAME"
+          "--principal" "$IP_ADDRESS"
+        ]
+        ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
+        ++ lib.optionals config.overwrite [ "-f" ]
+        ++ mkPrincipalArgs config.extraPrincipals;
+    };
+  });
 in
 {
   perSystem = { system, self', pkgs, lib, ... }: {
@@ -31,6 +76,12 @@ in
         meta.mainProgram = "step";
         paths = with pkgs; [
           self'.packages.step-bootstrap
+          (signHostWrapper.apply {
+            inherit pkgs;
+            provisioner = "admin";
+            overwrite = true;
+            # extraPrincipals = [ "home-pc" ];
+          }).wrapper
         ];
       });
     };
@@ -42,10 +93,4 @@ in
       install = true;
     }).wrapper;
   };
-
-  flake.modules.homeManager.myStepClient = { config, pkgs, lib, ... }: {
-    home.packages = [
-      inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.step-bootstrap
-    ];
-  };
 }
\ No newline at end of file