added check

.sops.yaml

@@ -1,14 +1,17 @@
 keys:
   - &john-p14s age1f6drjusg866yscj8029tk4yfpgecklrvezldm02ankm6h8nnwu5s2u6ahy
   - &john-pc age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
+  - &test-nix age1gvplss0ddmyf6vpjy363wu3n057vhm0j6n7tc94cxd8kadapypws5mtaj0
 creation_rules:
   - path_regex: \.yaml$
     key_groups:
     - age:
       - *john-p14s
       - *john-pc
+      - *test-nix
   - path_regex: \.json$
     key_groups:
     - age:
       - *john-p14s
       - *john-pc
+      - *test-nix

keys/root_ca.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlDCCATqgAwIBAgIRAKDvqOX8WVhJ/ev02Y1gXKQwCgYIKoZIzj0EAwIwKDEO
+MAwGA1UEChMFSmFudXMxFjAUBgNVBAMTDUphbnVzIFJvb3QgQ0EwHhcNMjUxMjE4
+MDYwMjI4WhcNMzUxMjE2MDYwMjI4WjAoMQ4wDAYDVQQKEwVKYW51czEWMBQGA1UE
+AxMNSmFudXMgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMt6kNpx
+Q9vySc1N6F9jJObeQXZI+9f33E1cN4zbEuNpmtpRl0WaPa1AGNbSi5sIbiH7wDv2
+llXfCqYWkeoCE5mjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/
+AgEBMB0GA1UdDgQWBBRo55byyyo2sePP+8zz+uM4mXNV+zAKBggqhkjOPQQDAgNI
+ADBFAiB6zxTbvWMZWgDQhKGh+MnGQQ7f8UGhzinOfRG7a/HdOAIhAIVWt6MLl6QU
+FOvl/qIFGd7YJeWU5aahPABVttxjSMn/
+-----END CERTIFICATE-----

keys/secrets.yaml

@@ -1,3 +1,8 @@
+janus:
+    fingerprint: ENC[AES256_GCM,data:A0eNE3nX8hVq8m4bNFvkTGR15Xh9QV44JpOJFyhZojPOTirRGEq/MCSNIqpKfoFUB4TXdRZIN95pAoNlO7Z2dQ==,iv:3TQ9ZcjRmnQzkNA5Cv/cpEIT8gTJ1w3cTjTVtxtuzq4=,tag:hIwcjdZ6R8UzUgh/VoDz3A==,type:str]
+    admin_jwk: ENC[AES256_GCM,data:HhsnsCsR87ItjEKP3MsHpxb/WZHvxRrMIhbBgW7qq/0=,iv:b5MKd5TFkxFjd1zY0Lfi2QDv4sLmyKn7riW8s/EfDeA=,tag:GkGfyAM2RtKzuo567bAjiA==,type:str]
+test-nix:
+    ssh_host_key: ENC[AES256_GCM,data:04CRKNCycc8Dre44ERtytmX6NHdZOIds95ckYzmi/i74qEYyN/L5XsuKKmjH2WCn3brvK4pZLLIZWzxC5VJ85q+O8Tfd3qdFROTG5qYRvmK5huxphPaIWSUI2ZEdLqecpRtmq7Zeq+Xa2+JKC0ehg2sqavotkPM5vIeVsaStD5rMVSgnuGaTS3WuPPfEjJPfsCyGPup4ysgxKxfc3JXOR+T8t6w4ccG0Si6tGz6io0Sl9tgPzrYqwqTaMtWLUA50luJg+D8ZxpMjpqFNbIry2tKwettzwXtGz7xGYnjvuk+1sCdYl8PXOMRT2KwAy5usCJsWFRTXJzZ5kxzwAYLwmhlsfPuxwTrR5fRETJPglRP/1muq8piIZn6yHtq9dCSrNcDCZnjnjG+cby28yPLYKhDgVNF5DObob8e6Fp/nP00sdi4Bt1aHRR5pjK/9mpsWE6ikO83SUi4xSoL1LKZM2kC5DL8XBJP7nWQTwijp84m3htMKvrKfFo68G9xP4v/DhVcHLsoNGLytH5omAuGL,iv:0cAtrXlPBis8nYw1XT4kSPRuwVkq0XSh6jjY9mpewIA=,tag:WFsiOe/l8cVicOqX2C94xA==,type:str]
 restic_password:
     john_ubuntu: ENC[AES256_GCM,data:Q4lUaFFDgoK9k4kQj7hSVKaFDGW0T+6V+OpFU5R528R3EKM7YJMgcFX+sK3mWl9XA4/6E1GeINpIqOpx+FP5Cf/8qt9sXBXCmXXSYdA4IH3RS6a1NkcIVjsTMvpn4q/fslCeYN4LB+r4pBGmdca105miqVun8J69cZGwjZ+wuxrMAP+mdnHdSUPycjNWJJzmEa3waQsygAi4A5cAN5sigOPBxe2pCTh/FEKoTgWmzHGJvcjrzuL6wNOpQrkMWwTsHCtbe9dyMP/fQpoBgYDT4W9Rd4XHhbrooje+g3x48EL1rkRIVVNRavpRUih/mjcdJGzzJ6jZmLLcc1f7SZIKZht7f+ZcdZl3rKQB+WanZgK/KAgKBRCrbIk2eeBZwkcRSw5kmGFU7x0azdIipJYj+3KHHQS5S2VW4j2tQG74xK3qaNJcSMjpKmdI1dHcPf0x2ILaDDV9Ts0H4GTOB2zO9iGy7x2tdPd4tugxxk5rr5rphTZL3lgUf0Ri/qMkJh9I8CsjUdvRycHeIEUZPmEVaIqJC2jrd2pBslis5VWD/6PHQBCob07d1fcpIYox4YXM3GcLg3OxiD8nZ7DTzGRMhciZtTKKWbBT8qzPud4ZQvDkT5l+XOpeM13wXFIMa13CwOzYeyWjycED0VQ/i3XRw9+9lg3cosfxaPdaFtv4MjV7Od62G/UJw3OxaQOHM2y24N+Q0pSBoTdDAFwDCH/kcqZji6ZrVTu4Rad8opcILJJcqC+pjegDvBtUdDz+G3/dFiS6m8RYIRb7qB5yEX/lCgzlECmRS2XP8uraNJ5NN8rtk0gdBtaI9/78YyAjLLGkjIcIR4uJA5buCZBR9jIdqf4f52fowbx18VPrwFXN2mYX6mPsKbDmaz0ILHq/I9n8bS/KM7gIQmTw/RAUwnmL4IRu8zHn6nmIqj6d8AkjYx7s6pG8OF8LgfhqZT7tdPKCd+n/HnYn1fZGSw26zHzPd4nKnVV1e3NYvX6CVwVycerGs9elOKtOI8GsrWYyXzJbfC+nWxbHKI/t6sxyzTBrHPR4r6l/CchQF+SfBs5aELKExe7h325qBB2y6EFdkbxTj1tPGqxttp9xJB1LUyNtwsEAkpD44JNqPxZCYHQbeVE3Oo3TYtRUSVWREc1WNIsfSG/anScYUhDEah9YyIdiG+O71QqegunusLoxmpF2rQtx7shtAvJV3skDBB0tFDoQyIV+yPo7kPV0D7Ig+Ba+mk5ASJrT9DXZ53Q2CCTLAuslU4MP7g22RX8rU3s2hFJq8m7wvMwpqa9Tr6O38i1wX4PhG1VRMM8EIlMQnLWWKmni6NbOYiRxFYJMioxH5SyE4ODQYXy5YIuLoRsX8VR6UqJ1GZb7sJf3M1aPOFOHzTN9hnziTRRe1KCMoBrAghrqhvL1VRr9X5PYMxnjBh6o0d5YTN0WOGD2iEVbCzqxFXcxQZBBp4KyNAAhFhGNw8WUp/rVoyCYn7+OEYFspY4FmGMTYhvxbq5LEptXeQgOP2ggBkqsw8sYP9oj1cb4kzBNv8M7nR9kM1EqvZpFV47phoTbBeMY4DZOJodkASFVM5/7ijWy/M9rtWMFMCXKURKkAQJRFADs0KqMJ5osnFFnubX7vKgK736XXF4+wIQuuHqEsYDZ90ftInxq8sYRnb2FZ0EV4yc8qqnz++fjwrAA5EV+zhL6l6hum1zL8JkUJ1ICKZ905If6nIeoul8MY3B1Cz4W+osN2Wtl8OeJ2t3iZx3wk/unVa8uDZH1owu47He68e2V8vpYxOaW4/hLyy/XuL5DukETrhRjC+7GbEaKaCwoA2UwAdqU,iv:N8ek+tp16WiZgjTDxXb0CRXH+MbLsl/oZ/OwcOoVRO0=,tag:uIzCSX0R/EObF/RdWxj64w==,type:str]
 api:
@@ -7,22 +12,31 @@ sops:
         - recipient: age1f6drjusg866yscj8029tk4yfpgecklrvezldm02ankm6h8nnwu5s2u6ahy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWkxDSnlNT2Vua1ZXWC8r
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UEpja2kxdThZVWZhOGVP
-            SU9UMnhaVXVEVlZGL3dtYTBJSzNGbHVaSTJNCm9ZTFM3RndpRktUcWhwZk1Fc2dk
+            S0NtSi84MjhnN0RORkh2NjZ4YlYvWS9kZDBNClFzYnVxWnhmQkpCRkRFVUx1RDdX
-            ZGtoWXdoOWVyK1F0YStSS3dsMkg2R28KLS0tIFkrdVFZNlVxRjhPaWdMZXl2elV3
+            ZHFqYXRqYXM0cWJzcU5EeEtSR1BUVzAKLS0tIDdEY2pnVTJqWlNZVkZldXVYVmFH
-            TVpyTzFsNFNmd3FNU0tlMnlTOHNTQWsKfKdN4epZokF74bCNr9+jxulZJFBQM83P
+            dVNBRUVodU5sRnpVcG1GZ1RiZzhjTXMKefqBvvD/qZwcSHmFjUnleukVRLueG36Y
-            quMhl+H85My8jAsEeC9CW7y2jdNPJkfk9gHun4ozoW8U7o6y5RLfJg==
+            Q81KlwQweF2F8kHl7Bqsi+3hH1dZZbVm3vjuGpWFOoti7fowUV55Kw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSakZRUnkraWtId2h3eUhB
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZFZxbDhVUWFEUGhPMlZI
-            REpkUHhYMm1MSmtFU2pvd1BpQ0xRTTlCWkZJCkxrTm1sdDBqclJ3RHR6VkllOFpo
+            SFdBYkpxSnAxTUZXbjVwQnlZQ3l1SWtuZGg0CmVBdnVHbTNUcmwvK01iMnZKZTJh
-            ZXRtS2lsazRDS2lyRnZmT3FTTjJ6WUUKLS0tIExxNlFoeDhHQ3l5a1VvUHNRWUdw
+            ajFla3kzYUl4ZWY3czA0WUdNM2lpVFUKLS0tIHo5Uk1pV296MXdnUTZGQ25haWZG
-            Mms2UEhFSU82UWR5Z1VvU25qenJUQm8KtQeZDIfJIczm1l8ql/WmVEf8KI9dg0vw
+            QWZDWGRaRDBhY1ZkZk5oTHY0ZVV2RXMKanv+WWRhf5nl+aw/T6QZFVQQmhV1DZfB
-            9rNSjtBkEttVd21zUSOziG4513abllE8NFTkAc1z3HacuXpHTBnd5A==
+            jkSzOAKOgPx7toYFmpq9E8fAH+zrMzDbxI2z2uyrOFI6v+QE0Ul/iQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-03T17:03:22Z"
+        - recipient: age1gvplss0ddmyf6vpjy363wu3n057vhm0j6n7tc94cxd8kadapypws5mtaj0
-    mac: ENC[AES256_GCM,data:c3rcMHTRxbnpQoW5eLn0X1aCL1v2ft05UTcHaCuGiCaF3b/loVjEQr30pepBgR07PSleTIi375Y0Rj8ik8Ot3j+Zl5BR32bEtqf6gcWwz6oSmeORDrJS15698d7/avJl82/EC0ZN77j+fcdkWZrCJHb47HGfRxKl9L5HbyWasA4=,iv:g3d3C571uYpTTFixYZg+ztg8jTdof1g6Hb5gtRvpRkk=,tag:8kAxrUwUVeWvpYjWMDE+AA==,type:str]
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcGtMNi9RSG5aTVV5cWdT
+            NittUXN0Qnpld1YvOU50OUh3Z3ZiSzhHOHdNCnc4TmdYbS9QQnBLbldHSytIdkJl
+            R0psQWxkZTgyZTRzckkrTGpyNCsvR2sKLS0tIEdLb05aT2I2S3BKcFRrVmtvTGw5
+            Z1orRCtkTDVXSktuck5pTmV4K05qZHMKZlHHu07q+GnyDDgdwW2Ic3P23PmoSPwn
+            WuNLZdlZQleROaRb+zpD+9P1HGGJ3mWAlNlnmjGrRk453k1PbBQ5Og==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-15T15:06:29Z"
+    mac: ENC[AES256_GCM,data:cF/TJ8VkzrHRUrO5iGdRdlFtqV/5EQ15JwQKIywJvsh0NERK67T21czSP7923MiL0u5QTVPn/rO8R5E/8gBu3r8+fLq+CFl9PDQHEX2JhnYOD5WZR412WMZq3MVR94IMTOrQANMVpS4uhMyvnrqOe4AenxLDyzrYhkwf1KQh4w0=,iv:Qwy8z4uXGMlf+kTMNiE42M9l8LtSJ+O7diknRrsSeYI=,tag:qlCY9r8HnEDmq/jw59C/sg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.12.1

keys/ssh_user_ca.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpgz9xYE3K+JeQ7vtDA07iWlp0xTXB+G8MBzX6/RluXs8E6v+ahx90M093EYIOImaW6npWQ0JnFtmZaet5l9Ao=

modules/hosts/janus.nix

@@ -1,19 +1,25 @@
 { inputs, ... }:
 let
+  username = "john";
   hostname = "janus";
-  username ="john";
 in
 {
   flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
-    modules = [
+    modules = with inputs.self.modules; [
-      inputs.self.modules.nixos.lxc
+      nixos.lxc
-      inputs.self.modules.nixos.zsh
+      nixos.sops
+      nixos.step-client
       inputs.home-manager.nixosModules.home-manager
-      inputs.self.modules.nixos."${username}"
+      nixos."${username}"
-      # inputs.self.modules.nixos.step-ca
+      nixos.zsh
-      inputs.self.modules.nixos.docker
+      nixos.docker
       {
+        step-client.hostname = hostname;
+
         home-manager.users."${username}" = {
+          imports = with inputs.self.modules.homeManager; [
+            sops
+          ];
           shell.program = "zsh";
           docker.enable = true;
           ssh.matchSets = {

modules/hosts/john-pc-ubuntu.nix

@@ -1,6 +1,8 @@
 { inputs, ... }:
 let
+	username = "john";
 	hostname = "john-pc-ubuntu";
+	testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
 in
 {
 	flake.modules.homeManager."${hostname}" = { pkgs, config, ... }:
@@ -20,10 +22,13 @@ in
 
 		shell.program = "zsh";
 
+		home.username = "${username}";
+		home.homeDirectory = "/home/${username}";
+
 		home.packages = with pkgs; [
 			nixos-rebuild
 			(writeShellScriptBin "test-push" ''
-				nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@fded:fb16:653e:25da:be24:11ff:fea0:753f
+				nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@${testTarget}
 			'')
 		];
 		# TODO: Add host-specific settings here:

modules/hosts/test-nix.nix

@@ -1,36 +1,31 @@
 { inputs, ... }:
 let
-  name = "test-nix";
   username = "john";
+  hostname = "test-nix";
 in
 {
-  flake.modules.nixos."${name}" = { pkgs, lib, ...}: {
+  flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
-    networking.hostName = "${name}";
+    modules = with inputs.self.modules; [
-    services.openssh = {
+      nixos.lxc
-      enable = true;
+      nixos.sops
-      # require public key authentication for better security
+      nixos.step-client
-      settings.PasswordAuthentication = false;
-      settings.KbdInteractiveAuthentication = false;
-    };
-
-    virtualisation.docker = {
-      enable = true;
-    };
-    home-manager.users."${username}" = {
-      docker.enable = true;
-    };
-    users.users.john = {
-      extraGroups = [ "docker" ];
-    };
-  };
-
-  # Generic bootstrapping lxc, use a specific host file for more
-  flake.nixosConfigurations."${name}" = inputs.nixpkgs.lib.nixosSystem {
-    modules = [
-      inputs.self.modules.nixos.lxc
       inputs.home-manager.nixosModules.home-manager
-      inputs.self.modules.nixos."${name}"
+      nixos."${username}"
-      inputs.self.modules.nixos.john
+      nixos.zsh
+      nixos.docker
+      {
+        home-manager.users."${username}" = {
+          imports = with inputs.self.modules.homeManager; [
+            sops
+          ];
+          shell.program = "zsh";
+          docker.enable = true;
+          ssh.matchSets = {
+            certs = true;
+            homelab = true;
+          };
+        };
+      }
     ];
   };
 }

modules/nix-tools/user.nix

@@ -15,22 +15,27 @@
           "wheel"
         ];
       };
+
+      # Removes password for sudo
+      security.sudo-rs = lib.mkIf isAdmin {
+        enable = true;
+        extraRules = [{
+          users = [ "${username}" ];
+          commands = [{
+            command = "ALL";
+            options = [ "NOPASSWD" ];
+          }];
+        }];
+      };
+
       # https://github.com/Doc-Steve/dendritic-design-with-flake-parts/wiki/Dendritic_Aspects#multi-context-aspect
       home-manager.users."${username}" = {
+        home.username = "${username}";
+        home.homeDirectory = "/home/${username}";
         imports = [
           self.modules.homeManager."${username}"
-          # self.modules.homeManager.shell-tools
         ];
       };
     };
-
-    homeManager."${username}" = {
-      home.username = "${username}";
-      home.homeDirectory = "/home/${username}";
-      # TODO: This doesn't get merged properly when the factory gets used
-      # imports = with self.modules.homeManager; [
-      #   shell-tools
-      # ];
-    };
   };
 }

modules/nixos/lxc.nix

@@ -3,14 +3,13 @@
   flake.modules.nixos.lxc = { pkgs, lib, ...}: {
     imports = with inputs.self.modules.nixos; [
       ({ modulesPath, ... }: { imports = [ "${modulesPath}/virtualisation/proxmox-lxc.nix" ]; })
-      ssh
     ];
     nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
     system.stateVersion = "25.11";
     nix.settings.experimental-features = [ "nix-command" "flakes" ];
     environment.systemPackages = with pkgs; [ git zsh ];
 
-    security.sudo-rs.enable = true;
+    # security.sudo-rs.enable = true;
     programs.nix-ld.enable = true;
     nix.optimise.automatic = true;
     nix.gc = {
@@ -18,6 +17,7 @@
       dates = "weekly";
       options = "--delete-older-than 30d";
     };
+    programs.bash.enable = true;
   };
 
   # Generic bootstrapping lxc, use a specific host file for more

modules/programs/bash.nix

@@ -1,7 +1,7 @@
 {
-  flake.modules.homeManager.bash = { pkgs, ... }:
+  flake.modules.homeManager.bash = { pkgs, lib, config, ... }:
   {
-    programs.bash = {
+    programs.bash = lib.mkIf (config.shell.program == "bash") {
       enable = true;
       enableCompletion = true;
       package = pkgs.bash;

modules/programs/shell-tools.nix

@@ -18,10 +18,8 @@
     ];
 
     config = {
-      programs.bash.enable = lib.mkForce (config.shell.program == "bash");
-      programs.zsh.enable  = lib.mkForce (config.shell.program == "zsh");
       home.shell.enableShellIntegration = true;
-
+      programs.zsh.enable  = lib.mkForce (config.shell.program == "zsh");
       home.packages = with pkgs; [
         wget
         curl
@@ -32,6 +30,7 @@
         btop
         uv
         xclip
+        jq
       ];
     };
   };

modules/programs/sops.nix

@@ -10,6 +10,18 @@ in
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
+  flake.modules.nixos.sops = {
+    imports = with inputs.sops-nix.nixosModules; [
+      sops
+    ];
+
+    sops.defaultSopsFile = ../../keys/secrets.yaml;
+    sops.secrets."test-nix/ssh_host_key" = {
+      owner = "john";
+      path = "/home/john/.ssh/host_key";
+    };
+  };
+
   # Define the homeModules that are used by flake-parts
   # https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager
   flake.modules.homeManager.sops = { inputs, config, pkgs, lib, ... }:
@@ -18,6 +30,7 @@ in
     sopsConfigPath = ../../.sops.yaml;
     sopsSecretsPath = ../../keys/secrets.yaml;
     ageKeyFile = "${config.xdg.configHome}/sops/age/keys.txt";
+    flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
   in
   {
     home.packages = with pkgs; [
@@ -31,7 +44,7 @@ in
         echo $(show-age-key)
       '')
       (writeShellScriptBin "show-age-key" "${lib.getExe' pkgs.age "age-keygen"} -y ${ageKeyFile}")
-      (writeShellScriptBin "edit-secrets" "${sopsBin} --config ${sopsConfigPath} ${sopsSecretsPath}")
+      (writeShellScriptBin "edit-secrets" "${sopsBin} --config ${sopsConfigPath} ${flakeDir}/keys/secrets.yaml")
       (writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets")
     ];
 
@@ -52,13 +65,8 @@ in
       defaultSopsFile = sopsSecretsPath;
       defaultSopsFormat = "yaml";
       age.sshKeyPaths = [ "${config.ssh.IdentityFile}" ];
-      # age.keyFile = "${ageKeyFile}";
-      # age.generateKey = true;
-
-      secrets."api/gmail_client_secret" = {
-        path = "${config.xdg.configHome}/resticprofile/dendrite.txt";
-      };
 
+      secrets."api/gmail_client_secret" = { };
       templates."gmail_creds" = {
         path = "${config.xdg.configHome}/sops-nix/gmail_api_credentials.json";
         content = ''

modules/programs/step-client.nix

@@ -0,0 +1,119 @@
+{ inputs, ... }:
+let
+  caURL = "https://janus.john-stream.com/";
+  stepFingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
+in
+{
+  #
+  # NixOS Module
+  #
+  flake.modules.nixos.step-client = { config, pkgs, lib, ... }:
+  let
+    cfg = config.step-client;
+    stepBin = lib.getExe pkgs.step-cli;
+    rootCertPath = "/etc/step/certs/root_ca.crt";
+    provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
+    sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
+    sshCertPath = "${sshKeyPath}-cert.pub";
+  in
+  {
+    # NixOS Options
+    options.step-client = {
+      caURL = lib.mkOption {
+        type = lib.types.str;
+        default = "${caURL}";
+      };
+      rootCertFile = lib.mkOption {
+        type = lib.types.path;
+        description = "Public Step root CA certificate file from the repo.";
+        default = ../../keys/root_ca.crt;
+      };
+      sshHostProvisioner = lib.mkOption {
+        type = lib.types.str;
+        default = "admin";
+      };
+      hostname = lib.mkOption {
+        type = lib.types.str;
+      };
+    };
+
+    imports = with inputs.self.modules.nixos; [ ssh ];
+    # NixOS Config
+    config = {
+      ssh.certificates.enable = true;
+      home-manager.sharedModules = with inputs.self.modules; [
+        homeManager.step-client
+      ];
+
+      sops.secrets."janus/admin_jwk" = {
+        owner = "root";
+        group = "root";
+        mode = "0400";
+      };
+
+      environment.etc."step/certs/root_ca.crt".source = cfg.rootCertFile;
+
+      environment.systemPackages = with pkgs; [
+        step-cli
+        (writeShellScriptBin "ssh-host-cert-renew" ''
+          ${lib.getExe pkgs.step-cli} ssh certificate \
+          --host --sign \
+          --root "${rootCertPath}" \
+          --ca-url ${cfg.caURL} \
+          --provisioner "${cfg.sshHostProvisioner}" \
+          --provisioner-password-file "${provisionerPasswordPath}" \
+          --principal "${cfg.hostname}" \
+          --principal "${cfg.hostname}.john-stream.com" \
+          "${cfg.hostname}" "${sshKeyPath}.pub"
+        '')
+        (writeShellScriptBin "ssh-host-cert-check" ''
+          ssh-keygen -Lf ${sshCertPath}
+        '')
+      ];
+      networking.nameservers = [ "192.168.1.150" ];
+      networking.dhcpcd.extraConfig = "nohook resolv.conf";
+
+    };
+  };
+
+  #
+  # Home Manager Module
+  #
+  flake.modules.homeManager.step-client = { config, pkgs, lib, ... }:
+  let
+    cfg = config.step-client;
+  in
+  {
+    options.step-client = {
+      enable = lib.mkEnableOption "opionated step client config for SSH certs";
+      caURL = lib.mkOption {
+        type = lib.types.str;
+        default = "${caURL}";
+      };
+      fingerprint = lib.mkOption {
+        type = lib.types.str;
+        default = "${stepFingerprint}";
+      };
+      rootCertFile = {
+        path = lib.mkOption {
+          type = lib.types.str;
+          description = "Path to where the root_ca.crt file will be stored for the user";
+          default = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
+        };
+        source = lib.mkOption {
+          type = lib.types.path;
+          description = "Nix path to the root cert file within the repo";
+          default = ../../keys/root_ca.crt;
+        };
+      };
+    };
+    config = lib.mkIf cfg.enable {
+      home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile;
+      home.file.".step/config/defaults.json".text = builtins.toJSON {
+        "ca-url" = cfg.caURL;
+        fingerprint = cfg.fingerprint;
+        root = "${cfg.rootCertFile.path}";
+      };
+    };
+  };
+}

modules/programs/zsh.nix

@@ -7,9 +7,10 @@ in
     nixos.zsh = { pkgs, ... }: {
       users.users."${username}".shell = pkgs.zsh;
       programs.zsh.enable = true;
-      home-manager.sharedModules = [
+      # Already being imported by the john.nix module
-        inputs.self.modules.homeManager.zsh
+      # home-manager.sharedModules = [
-      ];
+      #   inputs.self.modules.homeManager.zsh
+      # ];
     };
 
     homeManager.zsh = { pkgs, config, ... }: {

modules/services/ssh.nix

@@ -3,17 +3,49 @@ let
   userName = "john";
 in
 {
-  flake.modules.nixos.ssh = {
+  flake.modules.nixos.ssh = { pkgs, config, lib, ... }:
+  let
+    cfg = config.ssh;
+  in
+  {
+    options.ssh = {
+      certificates = {
+        enable = lib.mkEnableOption "Enable SSH certificates";
+        userCA = lib.mkOption {
+          type = lib.types.path;
+          default = ../../keys/ssh_user_ca.pub;
+        };
+      };
+    };
+
+    config = {
       services.openssh = {
         enable = true;
         # require public key authentication for better security
-      settings.PasswordAuthentication = false;
+        settings = lib.mkMerge [
-      settings.KbdInteractiveAuthentication = false;
+          {
+            PasswordAuthentication = false;
+            KbdInteractiveAuthentication = false;
+          }
+          (lib.mkIf cfg.certificates.enable {
+            TrustedUserCAKeys = "/etc/ssh/ssh_user_ca.pub";
+            HostKey = "/etc/ssh/ssh_host_ed25519_key";
+            HostCertificate = "/etc/ssh/ssh_host_ed25519_key-cert.pub";
+          })
+        ];
       };
 
-    home-manager.sharedModules = with inputs.self.modules.homeManager; [
+      environment.etc."ssh/ssh_user_ca.pub" = lib.mkIf cfg.certificates.enable {
-      ssh
+        source = cfg.certificates.userCA;
-    ];
+      };
+
+      programs.ssh.knownHosts = lib.mkIf cfg.certificates.enable {
+        "192.168.1.*" = { 
+          certAuthority = true;
+          publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
+        };
+      };
+    };
   };
 
   flake.modules.homeManager.ssh = { pkgs, config, lib, ... }:

modules/users/john.nix

@@ -1,4 +1,4 @@
-{ inputs, lib, ... }:
+{ inputs, ... }:
 let
   username = "john";
 in
@@ -17,22 +17,17 @@ in
       ];
     };
 
-    modules = lib.recursiveUpdate
+    modules = {
-      (inputs.self.factory.user username true)
-      {
-        #
-        # NixOS
-        #
       nixos."${username}" = {
+        imports = [
+          (inputs.self.factory.user username true).nixos."${username}"
+        ];
         users.users."${username}" = {
           openssh.authorizedKeys.keys = inputs.self.meta.users."${username}".authorizedKeys;
           extraGroups = [ "docker" ];
         };
       };
 
-        #
-        # Home Manager
-        #
       homeManager."${username}" = with inputs.self.meta.users."${username}"; {
         home.stateVersion = "25.11";
         xdg.enable = true;