sign ssh cert working

modules/services/ssh.nix

@@ -51,6 +51,10 @@ in
 
   flake.modules.homeManager.ssh = { pkgs, config, lib, ... }:
   {
+    imports = with inputs.self.modules.homeManager; [
+      step-client
+    ];
+
     options.ssh = {
       IdentityFile = lib.mkOption {
         # Intentionally not using a path type here because that will end up with the private key getting copied into the store
@@ -78,16 +82,22 @@ in
       publicKeyFile = "${identityFile}.pub";
       certificateFile = "${identityFile}-cert.pub";
       userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts";
+      provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
+      sshHostProvisioner = config.step-client.sshHostProvisioner;
     in {
-      home.packages = [
+      sops.secrets."janus/admin_jwk" = {
+        mode = "0400";
+      };
+
+      home.packages = lib.optionals cfg.certificates.enable [
         (pkgs.writeShellScriptBin "sign-ssh-cert" ''
-          echo "Signing ${publicKeyFile}"
-          echo "Copy the Step-CA JWK Provisioner password from 1password"
-          step ssh certificate --sign \
-          --principal root \
+          ${lib.getExe pkgs.step-cli} ssh certificate \
+          --sign \
           --principal ${userName} \
+          --principal root \
           --principal appdaemon \
-          --provisioner admin \
+          --provisioner "${sshHostProvisioner}" \
+          --provisioner-password-file "${provisionerPasswordPath}" \
           ${userName} ${publicKeyFile}
         '')
       ];
@@ -121,7 +131,7 @@ in
               inherit identityFile certificateFile;
 
               hashKnownHosts = false;
-              userKnownHostsFile = "${userKnownHostsFile}";
+              userKnownHostsFile = userKnownHostsFile;
 
               addKeysToAgent = "yes";
               forwardAgent = false;