{ self, inputs, ... }: let mkPrincipalArgs = principals: builtins.concatLists (map (principal: [ "--principal" principal ]) principals); signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { options = { provisioner = lib.mkOption { type = lib.types.nullOr lib.types.str; default = "admin"; }; extraPrincipals = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; }; overwrite = lib.mkEnableOption "Overwrite existing cert file?"; }; config = { binName = "sign-ssh-host-cert"; package = config.pkgs.step-cli; extraPackages = with config.pkgs; [ hostname iproute2 systemd ]; preHook = '' HOSTNAME=$(hostname -s) IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do case "$addr" in 192.168.1.*/*) printf '%s\n' "''${addr%%/*}" break ;; esac done) echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS" ''; args = [ "ssh" "certificate" "--host" "--sign" "--principal" "$HOSTNAME" "--principal" "$IP_ADDRESS" ] ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ] ++ lib.optionals config.overwrite [ "-f" ] ++ mkPrincipalArgs config.extraPrincipals; postHook = '' systemctl reload-or-restart sshd ''; }; }); signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: { options = { provisioner = lib.mkOption { type = lib.types.nullOr lib.types.str; default = "admin"; }; validUsers = lib.mkOption { description = "A list of the user names that this cert will be valid for"; type = lib.types.listOf lib.types.str; default = [ ]; }; overwrite = lib.mkEnableOption "Overwrite existing cert file?"; }; config = { binName = "sign-ssh-user-cert"; package = config.pkgs.step-cli; args = [ "ssh" "certificate" "--sign" ] ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ] ++ lib.optionals config.overwrite [ "-f" ] ++ mkPrincipalArgs config.validUsers; }; }); combinedWrapper = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: { options = { user.enable = lib.myEnableOption "Enable SSH user certs"; }; config = { package = (pkgs.symlinkJoin { name = "ssh-certs"; meta.mainProgram = "sign-ssh-host-cert"; paths = [ (signHostWrapper.apply { inherit pkgs; provisioner = "admin"; overwrite = true; # extraPrincipals = [ "home-pc" ]; }).wrapper ] ++ lib.optional config.user.enable (signUserWrapper.apply { inherit pkgs; provisioner = "admin"; overwrite = true; validUsers = [ "john" "root" "appdaemon" ]; }).wrapper; }); }; }); in { perSystem = { system, self', pkgs, lib, ... }: { packages.ssh-certs = inputs.wrappers.lib.wrapPackage { inherit pkgs; package = (pkgs.symlinkJoin { name = "ssh-certs"; meta.mainProgram = "sign-ssh-user-cert"; paths = [ (signUserWrapper.apply { inherit pkgs; provisioner = "admin"; overwrite = true; validUsers = [ "john" "root" "appdaemon" ]; }).wrapper (signHostWrapper.apply { inherit pkgs; provisioner = "admin"; overwrite = true; # extraPrincipals = [ "home-pc" ]; }).wrapper ]; }); }; }; flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: { home.packages = [ inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.myPackage ]; }; # flake.modules.homeManager.sshCerts = { config, pkgs, lib, ... }: { # home.packages = [ # (inputs.self.wrappers.sshCerts.apply { # inherit pkgs; # provisioner = "test prov"; # }).wrapper # ]; # }; # flake.wrappers.sshCerts = { wlib, lib }: # wlib.wrapModule ({ config, wlib, ... }: { # options = { # provisioner = lib.mkOption { # type = lib.types.str; # default = "admin"; # }; # }; # config = { # binName = "admin-cow"; # package = config.pkgs.cowsay; # args = [ config.provisioner ]; # }; # }); # inputs.wrappers.lib.wrapModule ({ config, lib, ... }: { # options = { # provisioner = lib.mkOption { # type = lib.types.str; # default = "admin"; # }; # }; # config = { # package = config.pkgs.cowsay; # args = [ config.provisioner ]; # }; # }); }