better ssh certs wrappers

2026-04-20 21:13:19 -05:00
parent bd236ed977
commit e75951318d
4 changed files with 69 additions and 146 deletions
@@ -1,6 +1,32 @@
-{ self, inputs, ... }:
-let
-  bootstrapWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
+{ self, inputs, ... }: {
+  flake.modules.homeManager.step-client = { config, pkgs, lib, ... }: {
+    home.file.".step/config/defaults.json".text = builtins.toJSON {
+      ca-url = "https://janus.john-stream.com/";
+      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
+      root = ../hosts/janus/root_ca.crt;
+    };
+    home.packages = [
+      inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.step-bootstrap
+    ];
+    # sops.secrets."step-ca-defaults" = {
+    #   sopsFile = ../hosts/janus/defaults.json;
+    #   format = "json";
+    #   key = ""; # This causes it to decode the whole file
+    #   path = "${config.home.homeDirectory}/defaults.json";
+    #   mode = "0400";
+    # };
+  };
+
+  perSystem = { system, pkgs, lib, ... }: {
+    packages.step-bootstrap = (inputs.self.wrappers.stepBootstrap.apply {
+      inherit pkgs;
+      caURL = "https://janus.john-stream.com";
+      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
+      install = true;
+    }).wrapper;
+  };
+
+  flake.wrappers.stepBootstrap = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      caURL = lib.mkOption {
        type = lib.types.str;
@@ -12,46 +38,14 @@ let
    };

    config = {
-      binName = "bootstrap";
-      package = config.pkgs.step-cli; # (1)!
+      binName = "step-bootstrap";
+      package = config.pkgs.step-cli;
      args = [
        "ca" "bootstrap"
        "--ca-url" config.caURL
        "--fingerprint" config.fingerprint
-      ];
+      ]
+      ++ lib.optional config.install "--install";
    };
  });
-in
-{
-  perSystem = { system, self', pkgs, lib, ... }: {
-    packages.step-client = inputs.wrappers.lib.wrapPackage {
-      inherit pkgs;
-      package = (pkgs.symlinkJoin {
-        name = "step";
-        meta.mainProgram = "step";
-        paths = with pkgs; [
-          self'.packages.step-bootstrap
-          (signHostWrapper.apply {
-            inherit pkgs;
-            provisioner = "admin";
-            overwrite = true;
-            # extraPrincipals = [ "home-pc" ];
-          }).wrapper
-          (signUserWrapper.apply {
-            inherit pkgs;
-            provisioner = "admin";
-            overwrite = true;
-            validUsers = [ "john" "root" "appdaemon" ];
-          }).wrapper
-        ];
-      });
-    };
-
-    packages.step-bootstrap = (bootstrapWrapper.apply {
-      inherit pkgs;
-      caURL = "https://janus.john-stream.com";
-      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
-      install = true;
-    }).wrapper;
-  };
 }