john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

broke out systemd service definitions

Browse Source
This commit is contained in:
John Lancaster
2026-03-16 08:27:33 -05:00
parent 853fe3c556
commit 2231c5910c
1 changed files with 106 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

165
modules/services/step-ca/mtls.nix
View File

@@ -50,6 +50,16 @@ let
type = lib.types.str; type = lib.types.str;
default = "5m"; default = "5m";
}; };
user = lib.mkOption {
description = "User account to run the mTLS renewal service as.";
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user when null.";
type = lib.types.nullOr lib.types.str;
default = null;
};
reloadUnits = lib.mkOption { reloadUnits = lib.mkOption {
description = "systemd units to try-reload-or-restart after a successful certificate renewal."; description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
@@ -62,6 +72,85 @@ let
}; };
}; };
}; };
mkMtlsRenewService = {
pkgs,
tlsCert,
tlsKey,
mtlsBundle,
reloadUnits ? [ ],
postCommands ? [ ],
user ? "root",
group ? null,
}:
let
serviceGroup = if group == null then user else group;
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${lib.getExe' pkgs.systemd "systemctl"} --quiet is-active "${unit}"; then
${lib.getExe' pkgs.systemd "systemctl"} try-reload-or-restart "${unit}"
fi
'') reloadUnits;
renewPostCommands = lib.concatStringsSep "\n" postCommands;
in
{
description = "Renew the mTLS certificate when Smallstep marks it ready";
wantedBy = [ ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
serviceConfig = {
Type = "oneshot";
User = user;
Group = serviceGroup;
};
script = ''
set -euo pipefail
if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then
echo "Renewing mTLS certificate"
else
rc=$?
if [ "$rc" -eq 1 ]; then
echo "mTLS certificate does not need renewal"
exit 0
fi
if [ "$rc" -eq 2 ]; then
echo "mTLS certificate missing: ${tlsCert}" >&2
exit 1
fi
echo "step certificate needs-renewal failed with rc=$rc" >&2
exit "$rc"
fi
${lib.getExe pkgs.step-cli} ca renew --force "${tlsCert}" "${tlsKey}"
umask 077
cat "${tlsCert}" "${tlsKey}" > "${mtlsBundle}"
${renewReloadScript}
${renewPostCommands}
'';
};
mkMtlsRenewTimer = {
onCalendar,
randomizedDelaySec,
unit ? "mtls-renew.service",
}: {
description = "Periodic Smallstep renewal for the mTLS certificate";
wantedBy = [ "timers.target" ];
timerConfig = {
Persistent = true;
OnCalendar = onCalendar;
AccuracySec = "1us";
RandomizedDelaySec = randomizedDelaySec;
Unit = unit;
};
};
in in
{ {
flake.modules.nixos.mtls = { config, lib, pkgs, ... }: flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
@@ -73,12 +162,6 @@ in
mtlsBundle = "${certDir}/${cfg.bundleFilename}"; mtlsBundle = "${certDir}/${cfg.bundleFilename}";
rootCA = "${certDir}/root_ca.crt"; rootCA = "${certDir}/root_ca.crt";
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${lib.getExe' pkgs.systemd "systemctl"} --quiet is-active "${unit}"; then
${lib.getExe' pkgs.systemd "systemctl"} try-reload-or-restart "${unit}"
fi
'') cfg.renew.reloadUnits;
renewPostCommands = lib.concatStringsSep "\n" cfg.renew.postCommands;
in in
{ {
options.mtls = opts; options.mtls = opts;
@@ -102,59 +185,14 @@ in
'') '')
]; ];
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable { systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewService {
description = "Renew the mTLS certificate when Smallstep marks it ready"; inherit pkgs tlsCert tlsKey mtlsBundle;
wantedBy = [ ]; inherit (cfg.renew) reloadUnits postCommands user group;
after = [ "network-online.target" ]; });
wants = [ "network-online.target" ];
path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
script = ''
set -euo pipefail
if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewTimer {
echo "Renewing mTLS certificate" inherit (cfg.renew) onCalendar randomizedDelaySec;
else });
rc=$?
if [ "$rc" -eq 1 ]; then
echo "mTLS certificate does not need renewal"
exit 0
fi
if [ "$rc" -eq 2 ]; then
echo "mTLS certificate missing: ${tlsCert}" >&2
exit 1
fi
echo "step certificate needs-renewal failed with rc=$rc" >&2
exit "$rc"
fi
${lib.getExe pkgs.step-cli} ca renew --force "${tlsCert}" "${tlsKey}"
umask 077
cat "${tlsCert}" "${tlsKey}" > "${mtlsBundle}"
${renewReloadScript}
${renewPostCommands}
'';
};
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable {
description = "Periodic Smallstep renewal for the mTLS certificate";
wantedBy = [ "timers.target" ];
timerConfig = {
Persistent = true;
OnCalendar = cfg.renew.onCalendar;
AccuracySec = "1us";
RandomizedDelaySec = cfg.renew.randomizedDelaySec;
Unit = "mtls-renew.service";
};
};
}; };
}; };
@@ -178,7 +216,7 @@ in
}; };
config = { config = {
home.packages = with pkgs; [ home.packages = with pkgs; lib.optionals cfg.enable [
step-cli step-cli
(writeShellScriptBin "mtls-generate" '' (writeShellScriptBin "mtls-generate" ''
set -euo pipefail set -euo pipefail
@@ -195,6 +233,15 @@ in
-enddate -in ${mtlsBundle} -enddate -in ${mtlsBundle}
'') '')
]; ];
# systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewService {
# inherit pkgs tlsCert tlsKey mtlsBundle;
# inherit (cfg.renew) reloadUnits postCommands group;
# });
# systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewTimer {
# inherit (cfg.renew) onCalendar randomizedDelaySec;
# });
}; };
}; };
} }