SSH Host Certificates on NixOS

I want to use SSH Host Certificates with Nix. I see they aren’t supported by default through sshd.nix. They seem hard to specify declaratively because generating the certificates needs an external resource (the SSH CA).

The way I’ve done it in the past on other OS is with an Ansible playbook which runs on the host with access to the CA. It downloads the host public keys (of the host that needs the certificates), signs them and then uploads the signed certificates. Does anyone have a similar working setup in Nix? I’m not opposed to doing it in other ways, I just want some examples of how to express something like this in NixOS config.

I have a systemd timer on my servers that generates ssh certificates for my servers with Vault.

I populate credentials to login to Vault as part of my deployment script. The creds are used to login to vault and generate a new SSH Host Certificate on a regular basis.