added lifetime option

2026-03-16 12:39:51 -05:00
parent ab5bda0c37
commit 27c8f6d86d
1 changed files with 9 additions and 2 deletions
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -35,6 +35,10 @@ let
      type = lib.types.str;
      default = "admin";
    };
+    lifetime = lib.mkOption {
+      type = lib.types.str;
+      default = "6h";
+    };
    renew = {
      enable = lib.mkOption {
        description = "Enable automatic mTLS certificate renewal using a systemd timer.";
@@ -224,6 +228,7 @@ in
              --ca-url ${cfg.caURL} \
              --root ${rootCA} \
              --provisioner ${cfg.provisioner} \
+              --not-before=-5m --not-after=${cfg.lifetime} \
              ${sanArgs} \
              "$@"
            cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
@@ -272,9 +277,11 @@ in
          (writeShellScriptBin "mtls-generate" ''
            set -euo pipefail
            ${lib.getExe pkgs.step-cli} ca certificate \
-              john-pc-ubuntu ${tlsCert} ${tlsKey} \
+              ${cfg.subject} ${tlsCert} ${tlsKey} \
+              --not-before=-5m --not-after=${cfg.lifetime} \
              --provisioner ${cfg.provisioner} \
-              ${sanArgs}
+              ${sanArgs} \
+              "$@"
            cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
          '')
          (writeShellScriptBin "mtls-check" ''