systemd

2026-05-01 00:11:55 -05:00
parent cf1174d36b
commit 2fea8238d1
1 changed files with 13 additions and 9 deletions
@@ -48,7 +48,7 @@ let
      enable = lib.mkOption {
        description = "Enable automatic mTLS certificate renewal using a systemd timer.";
        type = lib.types.bool;
-        default = true;
+        default = cfg.enable;
      };
      onCalendar = lib.mkOption {
        description = "systemd OnCalendar schedule for mTLS certificate renewal checks.";
@@ -199,11 +199,7 @@ in
        inherit (cfg) certDir keyFile certFile bundleFile;
        inherit (cfg.renew) reloadUnits postCommands;
        systemctlArgs = [ "--user" ];
-        systemd = {
-          description = "Renew the mTLS certificate when Smallstep marks it ready";
-          after = [ "network-online.target" ];
-          wants = [ "network-online.target" ];
-        } // lib.optionalAttrs cfg.renew.enable {
+        systemd = lib.optionalAttrs cfg.renew.enable {
          startAt = cfg.renew.onCalendar;
        };
      };
@@ -230,14 +226,14 @@ in
            inherit pkgs;
            inherit (cfg) bundleFile;
          }).wrapper
-          mtlsRenewWrapper.wrapper
        ];

        systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
-          "d ${cfg.certDir} 0700 - - -"
+          "d ${cfg.certDir} 0700 - - -" # Ensure the cert directory exists and is writable by the user
        ];

-        xdg.dataFile = lib.mkIf (cfg.enable && cfg.renew.enable) {
+        # Create the systemd service files for the user.
+        xdg.dataFile = lib.mkIf cfg.renew.enable {
          "systemd/user/mtls-renew.service".source =
            "${mtlsRenewWrapper.outputs.systemd-user}/systemd/user/mtls-renew.service";
          "systemd/user/mtls-renew.timer".source =
@@ -250,6 +246,7 @@ in
          '';
        };

+        # Ensure the timer gets started
        home.activation.mtlsRenewTimer = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
          if [ -n "$XDG_RUNTIME_DIR" ] && [ -S "$XDG_RUNTIME_DIR/systemd/private" ]; then
            if [ "${lib.boolToString (cfg.enable && cfg.renew.enable)}" = "true" ]; then
@@ -426,6 +423,13 @@ in
            '';
          };
        systemd = {
+          description = "Automatic mTLS renewal service";
+          documentation = [
+            "https://smallstep.com/docs/step-ca/certificate-authority-server-production"
+          ];
+          startLimitIntervalSec = 0;
+          after = [ "network-online.target" ];
+          wants = [ "network-online.target" ];
          serviceConfig.Type = lib.mkDefault "oneshot";
        };
      };