From 27c8f6d86d26a959c36396c26ca2e0b2fb251058 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Mon, 16 Mar 2026 12:39:51 -0500
Subject: [PATCH] added lifetime option

---
 modules/services/step-ca/mtls.nix | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix
index 7b18b5b..20b2f54 100644
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -35,6 +35,10 @@ let
       type = lib.types.str;
       default = "admin";
     };
+    lifetime = lib.mkOption {
+      type = lib.types.str;
+      default = "6h";
+    };
     renew = {
       enable = lib.mkOption {
         description = "Enable automatic mTLS certificate renewal using a systemd timer.";
@@ -224,6 +228,7 @@ in
               --ca-url ${cfg.caURL} \
               --root ${rootCA} \
               --provisioner ${cfg.provisioner} \
+              --not-before=-5m --not-after=${cfg.lifetime} \
               ${sanArgs} \
               "$@"
             cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
@@ -272,9 +277,11 @@ in
           (writeShellScriptBin "mtls-generate" ''
             set -euo pipefail
             ${lib.getExe pkgs.step-cli} ca certificate \
-              john-pc-ubuntu ${tlsCert} ${tlsKey} \
+              ${cfg.subject} ${tlsCert} ${tlsKey} \
+              --not-before=-5m --not-after=${cfg.lifetime} \
               --provisioner ${cfg.provisioner} \
-              ${sanArgs}
+              ${sanArgs} \
+              "$@"
             cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
           '')
           (writeShellScriptBin "mtls-check" ''