{inputs, ... }: let userName = "john"; in { flake.homeModules.ssh = { pkgs, config, lib, ... }: { options = { sshIdentityFile = lib.mkOption { # Intentionally not using a path type here because that will end up with the private key getting copied into the store type = lib.types.str; default = "${config.home.homeDirectory}/.ssh/id_ed25519"; description = "Path to the SSH identity file."; }; }; # All this stuff has to be wrapped in a config attribute because of the presence of the options here? config = let identityFile = config.sshIdentityFile; publicKeyFile = "${identityFile}.pub"; certificateFile = "${identityFile}-cert.pub"; userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts"; in { home.packages = [ (pkgs.writeShellScriptBin "sign-ssh-cert" '' echo "Signing ${publicKeyFile}" echo "Copy the Step-CA JWK Provisioner password from 1password" step ssh certificate --sign \ --principal root --principal ${userName} \ --provisioner admin \ ${userName} ${publicKeyFile} '') ]; programs.ssh = { enable = true; enableDefaultConfig = false; extraConfig = '' SetEnv TERM="xterm-256color" IdentityAgent ~/.1password/agent.sock ''; matchBlocks = { "*" = { user = "john"; compression = false; serverAliveInterval = 0; serverAliveCountMax = 3; identitiesOnly = true; inherit identityFile certificateFile; hashKnownHosts = false; userKnownHostsFile = "${userKnownHostsFile}"; addKeysToAgent = "yes"; forwardAgent = false; }; "janus" = { hostname = "janus.john-stream.com"; user = "root"; }; "soteria" = { hostname = "soteria.john-stream.com"; user = "john"; }; }; }; }; }; }