john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

started mtls wrappers

Browse Source
This commit is contained in:
John Lancaster
2026-04-27 09:01:19 -05:00
parent 3fc08793fe
commit 133bad5aef
1 changed files with 78 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/features/mtls.nix
+78 -1
View File
@@ -334,7 +334,11 @@ in
inherit pkgs certFile keyFile bundleFile; inherit pkgs certFile keyFile bundleFile;
}) })
(mkMtlsCheckScript { inherit pkgs bundleFile; }) (mkMtlsCheckScript { inherit pkgs bundleFile; })
(mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; }) # (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
(inputs.self.wrappers.mtlsRenew.apply {
inherit pkgs;
inherit (cfg) certDir certFile keyFile;
}).wrapper
]; ];
systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [ systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
@@ -349,4 +353,77 @@ in
}); });
}; };
}; };
flake.wrappers = {
mtlsNeedsRenewal = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
certFile = lib.mkOption {
description = "String path for the public cert";
type = lib.types.str;
};
};
config = {
binName = "mtls-needs-renewal";
package = config.pkgs.step-cli;
preHook = ''
echo "Checking renewal status..."
'';
args = [ "certificate" "needs-renewal" "${config.certFile}" ];
};
});
mtlsRenew = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
certDir = lib.mkOption {
description = "String path to the directory where the certs will be stored";
type = lib.types.str;
};
keyFile = lib.mkOption {
description = "String path for the private key";
type = lib.types.str;
default = "${config.certDir}/key.pem";
};
certFile = lib.mkOption {
description = "String path for the public cert";
type = lib.types.str;
default = "${config.certDir}/cert.pem";
};
};
config = {
binName = "mtls-renew";
package = config.pkgs.step-cli;
extraPackages = [
(inputs.self.wrappers.mtlsNeedsRenewal.apply {
inherit (config) pkgs certFile;
}).wrapper
];
preHook = ''
YELLOW_BANG="\e[33m!\e[0m"
force=0
while [[ $# -gt 0 ]]; do
case $1 in
--force)
force=1
shift
;;
*)
echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
exit 1
;;
esac
done
if [[ $force -eq 0 ]] && ! mtls-needs-renewal; then
echo "Skipping renew"
exit 0
else
echo "Renewing mTLS certificate"
fi
'';
};
});
};
} }