From e1b093929c8bd7ca77cc9f057b5faf6a232e3f30 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sun, 15 Mar 2026 14:45:33 -0500
Subject: [PATCH] ssh certificates on desktop

---
 modules/hosts/john-pc-ubuntu.nix |  1 +
 modules/programs/step-client.nix |  6 +++---
 modules/services/ssh.nix         | 28 +++++++++++++++++++++-------
 modules/users/john.nix           |  2 +-
 4 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/modules/hosts/john-pc-ubuntu.nix b/modules/hosts/john-pc-ubuntu.nix
index 3a91f2e..92247dd 100644
--- a/modules/hosts/john-pc-ubuntu.nix
+++ b/modules/hosts/john-pc-ubuntu.nix
@@ -42,6 +42,7 @@ in
 
 		homeManagerFlakeDir = flakeDir;
 		docker.enable = true;
+		ssh.certificates.enable = true;
 		ssh.matchSets = {
 			certs = true;
 			appdaemon = true;
diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix
index d0787e0..a1c5038 100644
--- a/modules/programs/step-client.nix
+++ b/modules/programs/step-client.nix
@@ -19,6 +19,9 @@ in
   {
     # NixOS Options
     options.step-client = {
+      hostname = lib.mkOption {
+        type = lib.types.str;
+      };
       caURL = lib.mkOption {
         type = lib.types.str;
         default = "${caURL}";
@@ -32,9 +35,6 @@ in
         type = lib.types.str;
         default = "admin";
       };
-      hostname = lib.mkOption {
-        type = lib.types.str;
-      };
     };
 
     imports = with inputs.self.modules.nixos; [ ssh ];
diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix
index bdf33b7..a973138 100644
--- a/modules/services/ssh.nix
+++ b/modules/services/ssh.nix
@@ -1,6 +1,7 @@
 {inputs, ... }:
 let
   userName = "john";
+  sshHostPubKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
 in
 {
   flake.modules.nixos.ssh = { pkgs, config, lib, ... }:
@@ -10,7 +11,7 @@ in
   {
     options.ssh = {
       certificates = {
-        enable = lib.mkEnableOption "Enable SSH certificates";
+        enable = lib.mkEnableOption "Enable SSH host certificates";
         userCA = lib.mkOption {
           type = lib.types.path;
           default = ../../keys/ssh_user_ca.pub;
@@ -42,7 +43,7 @@ in
       programs.ssh.knownHosts = lib.mkIf cfg.certificates.enable {
         "192.168.1.*" = { 
           certAuthority = true;
-          publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
+          publicKey = sshHostPubKey;
         };
       };
     };
@@ -64,11 +65,16 @@ in
         homelab = lib.mkEnableOption "Enable various Homelab targets";
         dev = lib.mkEnableOption "Enable development targets";
       };
+
+      certificates = {
+        enable = lib.mkEnableOption "Enable SSH user certificates";
+      };
     };
 
     # All this stuff has to be wrapped in a config attribute because of the presence of the options here?
     config = let
-      identityFile = config.ssh.IdentityFile;
+      cfg = config.ssh;
+      identityFile = cfg.IdentityFile;
       publicKeyFile = "${identityFile}.pub";
       certificateFile = "${identityFile}-cert.pub";
       userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts";
@@ -86,6 +92,14 @@ in
         '')
       ];
 
+      home.file.".ssh/known_hosts" = {
+        text = lib.concatStringsSep "\n" (
+          [
+            "fded:fb16:653e:25da:be24:11ff:fea0:753f ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9ZqiWPrCwHjxFCiu0lT4rlQs7KyMapxKJQQ5PJP1eh"
+          ] ++ (lib.optional cfg.certificates.enable "@cert-authority 192.168.1.* ${sshHostPubKey}")
+        );
+      };
+
       programs.ssh = {
         enable = true;
         enableDefaultConfig = false;
@@ -113,7 +127,7 @@ in
               forwardAgent = false;
             };
           }
-          (lib.mkIf config.ssh.matchSets.appdaemon {
+          (lib.mkIf cfg.matchSets.appdaemon {
             "appdaemon" = {
               hostname = "192.168.1.242";
               user = "appdaemon";
@@ -123,7 +137,7 @@ in
               user = "appdaemon";
             };
           })
-          (lib.mkIf config.ssh.matchSets.certs {
+          (lib.mkIf cfg.matchSets.certs {
             "janus" = {
               hostname = "janus.john-stream.com";
               user = "root";
@@ -133,7 +147,7 @@ in
               user = "john";
             };
           })
-          (lib.mkIf config.ssh.matchSets.homelab {
+          (lib.mkIf cfg.matchSets.homelab {
             "docs" = {
               hostname = "192.168.1.110";
               user = "root";
@@ -151,7 +165,7 @@ in
               user = "panoptes";
             };
           })
-          (lib.mkIf config.ssh.matchSets.dev {
+          (lib.mkIf cfg.matchSets.dev {
             "test-nix" = {
               hostname = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
               user = "john";
diff --git a/modules/users/john.nix b/modules/users/john.nix
index 53f8a52..eb74b47 100644
--- a/modules/users/john.nix
+++ b/modules/users/john.nix
@@ -12,7 +12,7 @@ in
       keygrip = [
       ];
       authorizedKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
+        # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus"
       ];
     };