{ inputs, ... }: let caURL = "https://janus.john-stream.com/"; stepFingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; in { # # Home Manager Module # flake.modules.homeManager.step-ssh-user = { config, pkgs, lib, ... }: let cfg = config.step-ssh-user; firstPrincipal = lib.head cfg.principals; principalArgs = lib.concatMapStringsSep " " (principal: "--principal \"${principal}\"") cfg.principals; in { options.step-ssh-user = { enable = lib.mkEnableOption "opionated step client config for SSH certs"; caURL = lib.mkOption { type = lib.types.str; default = "${caURL}"; }; fingerprint = lib.mkOption { type = lib.types.str; default = "${stepFingerprint}"; }; rootCertFile = { path = lib.mkOption { type = lib.types.str; description = "String path to where the root_ca.crt file will be stored for the user"; default = "${config.home.homeDirectory}/.step/certs/root_ca.crt"; }; source = lib.mkOption { type = lib.types.path; description = "Nix path to the root cert file within the repo"; default = ../../keys/root_ca.crt; }; }; provisioner = lib.mkOption { type = lib.types.str; default = "admin"; }; principals = lib.mkOption { type = lib.types.listOf lib.types.str; # default = [ ]; }; }; config = lib.mkIf cfg.enable { home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile.source; home.file.".step/config/defaults.json".text = builtins.toJSON { "ca-url" = cfg.caURL; fingerprint = cfg.fingerprint; root = "${cfg.rootCertFile.path}"; }; sops.secrets."janus/admin_jwk".mode = "0400"; home.packages = with pkgs; [ (writeShellScriptBin "sign-ssh-cert" '' ${lib.getExe pkgs.step-cli} ssh certificate \ --sign \ ${principalArgs} \ --provisioner "${cfg.provisioner}" \ --provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \ "${firstPrincipal}" "${config.ssh.IdentityFile}.pub" '') ]; }; }; }