john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

systemd

Browse Source
This commit is contained in:
John Lancaster
2026-05-01 00:11:55 -05:00
parent cf1174d36b
commit 2fea8238d1
1 changed files with 13 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/features/mtls.nix
+13 -9
View File
@@ -48,7 +48,7 @@ let
enable = lib.mkOption { enable = lib.mkOption {
description = "Enable automatic mTLS certificate renewal using a systemd timer."; description = "Enable automatic mTLS certificate renewal using a systemd timer.";
type = lib.types.bool; type = lib.types.bool;
default = true; default = cfg.enable;
}; };
onCalendar = lib.mkOption { onCalendar = lib.mkOption {
description = "systemd OnCalendar schedule for mTLS certificate renewal checks."; description = "systemd OnCalendar schedule for mTLS certificate renewal checks.";
@@ -199,11 +199,7 @@ in
inherit (cfg) certDir keyFile certFile bundleFile; inherit (cfg) certDir keyFile certFile bundleFile;
inherit (cfg.renew) reloadUnits postCommands; inherit (cfg.renew) reloadUnits postCommands;
systemctlArgs = [ "--user" ]; systemctlArgs = [ "--user" ];
systemd = { systemd = lib.optionalAttrs cfg.renew.enable {
description = "Renew the mTLS certificate when Smallstep marks it ready";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
} // lib.optionalAttrs cfg.renew.enable {
startAt = cfg.renew.onCalendar; startAt = cfg.renew.onCalendar;
}; };
}; };
@@ -230,14 +226,14 @@ in
inherit pkgs; inherit pkgs;
inherit (cfg) bundleFile; inherit (cfg) bundleFile;
}).wrapper }).wrapper
mtlsRenewWrapper.wrapper
]; ];
systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [ systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
"d ${cfg.certDir} 0700 - - -" "d ${cfg.certDir} 0700 - - -" # Ensure the cert directory exists and is writable by the user
]; ];
xdg.dataFile = lib.mkIf (cfg.enable && cfg.renew.enable) { # Create the systemd service files for the user.
xdg.dataFile = lib.mkIf cfg.renew.enable {
"systemd/user/mtls-renew.service".source = "systemd/user/mtls-renew.service".source =
"${mtlsRenewWrapper.outputs.systemd-user}/systemd/user/mtls-renew.service"; "${mtlsRenewWrapper.outputs.systemd-user}/systemd/user/mtls-renew.service";
"systemd/user/mtls-renew.timer".source = "systemd/user/mtls-renew.timer".source =
@@ -250,6 +246,7 @@ in
''; '';
}; };
# Ensure the timer gets started
home.activation.mtlsRenewTimer = lib.hm.dag.entryAfter [ "writeBoundary" ] '' home.activation.mtlsRenewTimer = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
if [ -n "$XDG_RUNTIME_DIR" ] && [ -S "$XDG_RUNTIME_DIR/systemd/private" ]; then if [ -n "$XDG_RUNTIME_DIR" ] && [ -S "$XDG_RUNTIME_DIR/systemd/private" ]; then
if [ "${lib.boolToString (cfg.enable && cfg.renew.enable)}" = "true" ]; then if [ "${lib.boolToString (cfg.enable && cfg.renew.enable)}" = "true" ]; then
@@ -426,6 +423,13 @@ in
''; '';
}; };
systemd = { systemd = {
description = "Automatic mTLS renewal service";
documentation = [
"https://smallstep.com/docs/step-ca/certificate-authority-server-production"
];
startLimitIntervalSec = 0;
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig.Type = lib.mkDefault "oneshot"; serviceConfig.Type = lib.mkDefault "oneshot";
}; };
}; };