sshca: Configure user CA

SSHCA now supports issuing user certificates.  It uses OpenID Connect to
authenticate requests, and issues certificates based on the user's ID
token.

sshca/config.toml

@@ -1,9 +1,17 @@
 machine_ids = "/var/lib/sshca/machine-ids.json"
 
+[oidc]
+discovery_url = "https://auth.pyrocufflink.blue"
+client_id = "sshca"
+
 [ca.host]
 private_key_file = "/run/sshca/secrets/host/key/host-ca-key"
 private_key_passphrase_file = "/run/sshca/secrets/host/passphrase/host-ca-key.passphrase"
 
+[ca.user]
+private_key_file = "/run/sshca/secrets/user/key/user-ca-key"
+private_key_passphrase_file = "/run/sshca/secrets/user/passphrase/user-ca-key.passphrase"
+
 [[libvirt]]
 uri = "qemu+ssh://sshca@vmhost0.pyrocufflink.blue/system?keyfile=/run/sshca/libvirt/sshkey"