machines/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/ssh-host.nix

{
  khscodes.services.openssh.hostCertificate.path = "\${ vault_mount.ssh-host.path }";
  khscodes.infrastructure.provisioning.configuration.modules = [
    (
      { config, ... }:
      {
        khscodes.vault.mount.ssh-host = {
          type = "ssh";
          path = "ssh-host";
          default_lease_ttl_seconds = 24 * 60 * 60;
          max_lease_ttl_seconds = 24 * 60 * 60;
        };

        resource.vault_ssh_secret_backend_ca.ssh-host = {
          backend = config.khscodes.vault.output.mount.ssh-host.path;
          generate_signing_key = true;
          key_type = "ed25519";
        };
      }
    )
  ];
}