mtls options

modules/features/mtls.nix

@@ -1,7 +1,7 @@
 { self, inputs, lib, ... }:
 let
-  # Options that will be in common between
+  # Options that will be in common between the nixos module and the home-manager module.
-  opts = {
+  mkOpts = config: let cfg = config.mtls; in {
     enable = lib.mkEnableOption "Enable mTLS";
     subject = lib.mkOption {
       description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
@@ -11,20 +11,25 @@ let
       description = "String path to the directory where the certs will be stored";
       type = lib.types.str;
     };
-    keyFilename = lib.mkOption {
+    caFile = lib.mkOption {
-      description = "String filename for the private key";
+      description = "String path for the root CA file";
       type = lib.types.str;
-      default = "key.pem";
+      default = "${cfg.certDir}/root_ca.crt";
     };
-    certFilename = lib.mkOption {
+    keyFile = lib.mkOption {
-      description = "String filename for the public certificate";
+      description = "String path for the private key";
       type = lib.types.str;
-      default = "cert.pem";
+      default = "${cfg.certDir}/key.pem";
     };
-    bundleFilename = lib.mkOption {
+    certFile = lib.mkOption {
-      description = "String filename for the mTLS key bundle";
+      description = "String path for the public cert";
       type = lib.types.str;
-      default = "mtls.pem";
+      default = "${cfg.certDir}/cert.pem";
+    };
+    bundleFile = lib.mkOption {
+      description = "String path for the mTLS key bundle";
+      type = lib.types.str;
+      default = "${cfg.certDir}/mtls.pem";
     };
     san = lib.mkOption {
       description = "List of SAN to give the mTLS cert";
@@ -37,7 +42,7 @@ let
     };
     lifetime = lib.mkOption {
       type = lib.types.str;
-      default = "6h";
+      default = "24h";
     };
     renew = {
       enable = lib.mkOption {
@@ -249,13 +254,13 @@ in
   flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
     let
       cfg = config.mtls;
-      tlsKey = "${cfg.certDir}/${cfg.keyFilename}";
+      tlsKey = cfg.keyFile;
-      tlsCert = "${cfg.certDir}/${cfg.certFilename}";
+      tlsCert = cfg.certFile;
-      mtlsBundle = "${cfg.certDir}/${cfg.bundleFilename}";
+      mtlsBundle = cfg.bundleFile;
       sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
     in
     {
-      options.mtls = opts // {
+      options.mtls = (mkOpts config) // {
         certDir = lib.mkOption {
           description = "String path to where the mtls certs will be stored.";
           type = lib.types.str;
@@ -292,13 +297,13 @@ in
   flake.modules.homeManager.mtls = { config, lib, pkgs, ... }:
     let
       cfg = config.mtls;
-      tlsKey = "${cfg.certDir}/${cfg.keyFilename}";
+      tlsKey = cfg.keyFile;
-      tlsCert = "${cfg.certDir}/${cfg.certFilename}";
+      tlsCert = cfg.certFile;
-      mtlsBundle = "${cfg.certDir}/${cfg.bundleFilename}";
+      mtlsBundle = cfg.bundleFile;
       sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
     in
     {
-      options.mtls = opts // {
+      options.mtls = (mkOpts config) // {
         certDir = lib.mkOption {
           description = "String path to where the mtls certs will be stored.";
           type = lib.types.str;