john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added lifetime option

Browse Source
This commit is contained in:
John Lancaster
2026-03-16 12:39:51 -05:00
parent ab5bda0c37
commit 27c8f6d86d
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
modules/services/step-ca/mtls.nix
View File

@@ -35,6 +35,10 @@ let
type = lib.types.str; type = lib.types.str;
default = "admin"; default = "admin";
}; };
lifetime = lib.mkOption {
type = lib.types.str;
default = "6h";
};
renew = { renew = {
enable = lib.mkOption { enable = lib.mkOption {
description = "Enable automatic mTLS certificate renewal using a systemd timer."; description = "Enable automatic mTLS certificate renewal using a systemd timer.";
@@ -224,6 +228,7 @@ in
--ca-url ${cfg.caURL} \ --ca-url ${cfg.caURL} \
--root ${rootCA} \ --root ${rootCA} \
--provisioner ${cfg.provisioner} \ --provisioner ${cfg.provisioner} \
--not-before=-5m --not-after=${cfg.lifetime} \
${sanArgs} \ ${sanArgs} \
"$@" "$@"
cat ${tlsCert} ${tlsKey} > ${mtlsBundle} cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
@@ -272,9 +277,11 @@ in
(writeShellScriptBin "mtls-generate" '' (writeShellScriptBin "mtls-generate" ''
set -euo pipefail set -euo pipefail
${lib.getExe pkgs.step-cli} ca certificate \ ${lib.getExe pkgs.step-cli} ca certificate \
john-pc-ubuntu ${tlsCert} ${tlsKey} \ ${cfg.subject} ${tlsCert} ${tlsKey} \
--not-before=-5m --not-after=${cfg.lifetime} \
--provisioner ${cfg.provisioner} \ --provisioner ${cfg.provisioner} \
${sanArgs} ${sanArgs} \
"$@"
cat ${tlsCert} ${tlsKey} > ${mtlsBundle} cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
'') '')
(writeShellScriptBin "mtls-check" '' (writeShellScriptBin "mtls-check" ''