started mtls wrappers

2026-04-27 09:01:19 -05:00
parent 3fc08793fe
commit 133bad5aef
1 changed files with 78 additions and 1 deletions
@@ -334,7 +334,11 @@ in
            inherit pkgs certFile keyFile bundleFile;
          })
          (mkMtlsCheckScript { inherit pkgs bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
+          # (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
+          (inputs.self.wrappers.mtlsRenew.apply {
+            inherit pkgs;
+            inherit (cfg) certDir certFile keyFile;
+          }).wrapper
        ];

        systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
@@ -349,4 +353,77 @@ in
        });
      };
    };
+
+  flake.wrappers = {
+    mtlsNeedsRenewal = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
+      options = {
+        certFile = lib.mkOption {
+          description = "String path for the public cert";
+          type = lib.types.str;
+        };
+      };
+
+      config = {
+        binName = "mtls-needs-renewal";
+        package = config.pkgs.step-cli;
+        preHook = ''
+          echo "Checking renewal status..."
+        '';
+        args = [ "certificate" "needs-renewal" "${config.certFile}" ];
+      };
+    });
+
+    mtlsRenew = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
+      options = {
+        certDir = lib.mkOption {
+          description = "String path to the directory where the certs will be stored";
+          type = lib.types.str;
+        };
+        keyFile = lib.mkOption {
+          description = "String path for the private key";
+          type = lib.types.str;
+          default = "${config.certDir}/key.pem";
+        };
+        certFile = lib.mkOption {
+          description = "String path for the public cert";
+          type = lib.types.str;
+          default = "${config.certDir}/cert.pem";
+        };
+      };
+
+      config = {
+        binName = "mtls-renew";
+        package = config.pkgs.step-cli;
+        extraPackages = [
+          (inputs.self.wrappers.mtlsNeedsRenewal.apply {
+            inherit (config) pkgs certFile;
+          }).wrapper
+        ];
+        preHook = ''
+          YELLOW_BANG="\e[33m!\e[0m"
+
+          force=0
+          while [[ $# -gt 0 ]]; do
+            case $1 in
+              --force)
+              force=1
+              shift
+              ;;
+              *)
+              echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
+              exit 1
+              ;;
+            esac
+          done
+
+          if [[ $force -eq 0 ]] && ! mtls-needs-renewal; then
+            echo "Skipping renew"
+            exit 0
+          else
+            echo "Renewing mTLS certificate"
+          fi
+        '';
+      };
+    });
+  };
 }