broke out systemd service definitions

modules/services/step-ca/mtls.nix

@@ -50,6 +50,16 @@ let
         type = lib.types.str;
         default = "5m";
       };
+      user = lib.mkOption {
+        description = "User account to run the mTLS renewal service as.";
+        type = lib.types.str;
+        default = "root";
+      };
+      group = lib.mkOption {
+        description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user when null.";
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+      };
       reloadUnits = lib.mkOption {
         description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
         type = lib.types.listOf lib.types.str;
@@ -62,47 +72,27 @@ let
       };
     };
   };
-in
+
-{
+  mkMtlsRenewService = {
-  flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
+    pkgs,
+    tlsCert,
+    tlsKey,
+    mtlsBundle,
+    reloadUnits ? [ ],
+    postCommands ? [ ],
+    user ? "root",
+    group ? null,
+  }:
   let
-    cfg = config.mtls;
+    serviceGroup = if group == null then user else group;
-    certDir = "/etc/step/certs";
-    tlsKey = "${certDir}/${cfg.keyFilename}";
-    tlsCert = "${certDir}/${cfg.certFilename}";
-    mtlsBundle = "${certDir}/${cfg.bundleFilename}";
-    rootCA = "${certDir}/root_ca.crt";
-    sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
     renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
       if ${lib.getExe' pkgs.systemd "systemctl"} --quiet is-active "${unit}"; then
         ${lib.getExe' pkgs.systemd "systemctl"} try-reload-or-restart "${unit}"
       fi
-    '') cfg.renew.reloadUnits;
+    '') reloadUnits;
-    renewPostCommands = lib.concatStringsSep "\n" cfg.renew.postCommands;
+    renewPostCommands = lib.concatStringsSep "\n" postCommands;
   in
   {
-    options.mtls = opts;
-    config = lib.mkIf cfg.enable {
-      environment.systemPackages = with pkgs; lib.optionals cfg.enable [
-        (writeShellScriptBin "mtls-generate" ''
-          set -euo pipefail
-          ${lib.getExe pkgs.step-cli} ca certificate \
-            ${cfg.subject} ${tlsCert} ${tlsKey} \
-            --ca-url ${cfg.caURL} \
-            --root ${rootCA} \
-            --provisioner ${cfg.provisioner} \
-            ${sanArgs}
-          cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
-        '')
-        (writeShellScriptBin "mtls-check" ''
-          ${lib.getExe pkgs.openssl} x509 \
-          -noout -subject -issuer \
-          -ext subjectAltName,extendedKeyUsage \
-          -enddate -in ${mtlsBundle}
-        '')
-      ];
-
-      systemd.services.mtls-renew = lib.mkIf cfg.renew.enable {
     description = "Renew the mTLS certificate when Smallstep marks it ready";
     wantedBy = [ ];
     after = [ "network-online.target" ];
@@ -110,8 +100,8 @@ in
     path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
     serviceConfig = {
       Type = "oneshot";
-          User = "root";
+      User = user;
-          Group = "root";
+      Group = serviceGroup;
     };
     script = ''
       set -euo pipefail
@@ -144,17 +134,65 @@ in
     '';
   };
 
-      systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable {
+  mkMtlsRenewTimer = {
+    onCalendar,
+    randomizedDelaySec,
+    unit ? "mtls-renew.service",
+  }: {
     description = "Periodic Smallstep renewal for the mTLS certificate";
     wantedBy = [ "timers.target" ];
     timerConfig = {
       Persistent = true;
-          OnCalendar = cfg.renew.onCalendar;
+      OnCalendar = onCalendar;
       AccuracySec = "1us";
-          RandomizedDelaySec = cfg.renew.randomizedDelaySec;
+      RandomizedDelaySec = randomizedDelaySec;
-          Unit = "mtls-renew.service";
+      Unit = unit;
     };
   };
+
+  
+in
+{
+  flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
+  let
+    cfg = config.mtls;
+    certDir = "/etc/step/certs";
+    tlsKey = "${certDir}/${cfg.keyFilename}";
+    tlsCert = "${certDir}/${cfg.certFilename}";
+    mtlsBundle = "${certDir}/${cfg.bundleFilename}";
+    rootCA = "${certDir}/root_ca.crt";
+    sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
+  in
+  {
+    options.mtls = opts;
+    config = lib.mkIf cfg.enable {
+      environment.systemPackages = with pkgs; lib.optionals cfg.enable [
+        (writeShellScriptBin "mtls-generate" ''
+          set -euo pipefail
+          ${lib.getExe pkgs.step-cli} ca certificate \
+            ${cfg.subject} ${tlsCert} ${tlsKey} \
+            --ca-url ${cfg.caURL} \
+            --root ${rootCA} \
+            --provisioner ${cfg.provisioner} \
+            ${sanArgs}
+          cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
+        '')
+        (writeShellScriptBin "mtls-check" ''
+          ${lib.getExe pkgs.openssl} x509 \
+          -noout -subject -issuer \
+          -ext subjectAltName,extendedKeyUsage \
+          -enddate -in ${mtlsBundle}
+        '')
+      ];
+
+      systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewService {
+        inherit pkgs tlsCert tlsKey mtlsBundle;
+        inherit (cfg.renew) reloadUnits postCommands user group;
+      });
+
+      systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewTimer {
+        inherit (cfg.renew) onCalendar randomizedDelaySec;
+      });
     };
   };
 
@@ -178,7 +216,7 @@ in
     };
 
     config = {
-      home.packages = with pkgs; [
+      home.packages = with pkgs; lib.optionals cfg.enable [
         step-cli
         (writeShellScriptBin "mtls-generate" ''
           set -euo pipefail
@@ -195,6 +233,15 @@ in
           -enddate -in ${mtlsBundle}
         '')
       ];
+
+      # systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewService {
+      #   inherit pkgs tlsCert tlsKey mtlsBundle;
+      #   inherit (cfg.renew) reloadUnits postCommands group;
+      # });
+
+      # systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewTimer {
+      #   inherit (cfg.renew) onCalendar randomizedDelaySec;
+      # });
     };
   };
 }