john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mtls options

Browse Source
This commit is contained in:
John Lancaster
2026-04-01 15:59:56 -05:00
parent 86bb800886
commit 1fe4d59ce6
1 changed files with 25 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/features/mtls.nix
+25 -20
View File
@@ -1,7 +1,7 @@
{ self, inputs, lib, ... }:
let
# Options that will be in common between
opts = {
# Options that will be in common between the nixos module and the home-manager module.
mkOpts = config: let cfg = config.mtls; in {
enable = lib.mkEnableOption "Enable mTLS";
subject = lib.mkOption {
description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
@@ -11,20 +11,25 @@ let
description = "String path to the directory where the certs will be stored";
type = lib.types.str;
};
keyFilename = lib.mkOption {
description = "String filename for the private key";
caFile = lib.mkOption {
description = "String path for the root CA file";
type = lib.types.str;
default = "key.pem";
default = "${cfg.certDir}/root_ca.crt";
};
certFilename = lib.mkOption {
description = "String filename for the public certificate";
keyFile = lib.mkOption {
description = "String path for the private key";
type = lib.types.str;
default = "cert.pem";
default = "${cfg.certDir}/key.pem";
};
bundleFilename = lib.mkOption {
description = "String filename for the mTLS key bundle";
certFile = lib.mkOption {
description = "String path for the public cert";
type = lib.types.str;
default = "mtls.pem";
default = "${cfg.certDir}/cert.pem";
};
bundleFile = lib.mkOption {
description = "String path for the mTLS key bundle";
type = lib.types.str;
default = "${cfg.certDir}/mtls.pem";
};
san = lib.mkOption {
description = "List of SAN to give the mTLS cert";
@@ -37,7 +42,7 @@ let
};
lifetime = lib.mkOption {
type = lib.types.str;
default = "6h";
default = "24h";
};
renew = {
enable = lib.mkOption {
@@ -249,13 +254,13 @@ in
flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
let
cfg = config.mtls;
tlsKey = "${cfg.certDir}/${cfg.keyFilename}";
tlsCert = "${cfg.certDir}/${cfg.certFilename}";
mtlsBundle = "${cfg.certDir}/${cfg.bundleFilename}";
tlsKey = cfg.keyFile;
tlsCert = cfg.certFile;
mtlsBundle = cfg.bundleFile;
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
in
{
options.mtls = opts // {
options.mtls = (mkOpts config) // {
certDir = lib.mkOption {
description = "String path to where the mtls certs will be stored.";
type = lib.types.str;
@@ -292,13 +297,13 @@ in
flake.modules.homeManager.mtls = { config, lib, pkgs, ... }:
let
cfg = config.mtls;
tlsKey = "${cfg.certDir}/${cfg.keyFilename}";
tlsCert = "${cfg.certDir}/${cfg.certFilename}";
mtlsBundle = "${cfg.certDir}/${cfg.bundleFilename}";
tlsKey = cfg.keyFile;
tlsCert = cfg.certFile;
mtlsBundle = cfg.bundleFile;
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
in
{
options.mtls = opts // {
options.mtls = (mkOpts config) // {
certDir = lib.mkOption {
description = "String path to where the mtls certs will be stored.";
type = lib.types.str;