From 33ccad5bf6f53d4879d3c315365e98d47af8eb0c Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Tue, 24 Mar 2026 22:24:14 -0500
Subject: [PATCH] moved step-ca defaults file for mtls

---
 modules/hosts/john-pc-ubuntu.nix  |  6 ++++--
 modules/hosts/soteria/soteria.nix | 12 +++++-------
 modules/services/step-ca/mtls.nix | 18 +++++++++++++-----
 3 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/modules/hosts/john-pc-ubuntu.nix b/modules/hosts/john-pc-ubuntu.nix
index 3110222..f8bbcab 100644
--- a/modules/hosts/john-pc-ubuntu.nix
+++ b/modules/hosts/john-pc-ubuntu.nix
@@ -86,9 +86,11 @@ in
     };
     mtls = {
       enable = true;
-      caURL = "https://janus.john-stream.com/";
-      provisioner = "admin";
       subject = hostname;
+      ca = {
+        url = "https://janus.john-stream.com/";
+        fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
+      };
       san = [
         "${hostname}"
         "192.168.1.85"
diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix
index 3e9be47..0db38c1 100644
--- a/modules/hosts/soteria/soteria.nix
+++ b/modules/hosts/soteria/soteria.nix
@@ -50,12 +50,6 @@ in
     shell.program = "zsh";
     docker.enable = true;
 
-    home.file.".step/config/defaults.json".text = builtins.toJSON {
-      "ca-url" = "https://janus.john-stream.com/";
-      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
-      root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
-    };
-
     # sops.secrets."janus/admin_password" = {
     #   path = "${config.home.homeDirectory}/.janus";
     #   mode = "0400";
@@ -66,12 +60,16 @@ in
     mtls = {
       enable = true;
       subject = hostname;
-      caURL = "https://janus.john-stream.com/";
+      ca = {
+        url = "https://janus.john-stream.com/";
+        fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
+      };
       san = [
         "${hostname}.john-stream.com"
         "192.168.1.142"
       ];
       lifetime = "1h";
+      renew.onCalendar = "*:3/15";
       renew.postCommands = [
         "${lib.getExe pkgs.docker} restart envoy"
       ];
diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix
index 33622b1..31a1030 100644
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -3,9 +3,13 @@ let
   # Options that will be in common between
   opts = {
     enable = lib.mkEnableOption "Enable mTLS";
-    caURL = lib.mkOption {
-      description = "URL to the certificate authority";
-      type = lib.types.str;
+    ca = {
+      url = lib.mkOption {
+        type = lib.types.str;
+      };
+      fingerprint = lib.mkOption {
+        type = lib.types.str;
+      };
     };
     subject = lib.mkOption {
       description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
@@ -228,8 +232,6 @@ in
             set -euo pipefail
             ${lib.getExe pkgs.step-cli} ca certificate \
               ${cfg.subject} ${tlsCert} ${tlsKey} \
-              --ca-url ${cfg.caURL} \
-              --root ${rootCA} \
               --provisioner ${cfg.provisioner} \
               --not-before=-5m --not-after=${cfg.lifetime} \
               ${sanArgs} \
@@ -275,6 +277,12 @@ in
       };
 
       config = {
+        home.file.".step/config/defaults.json".text = builtins.toJSON {
+          "ca-url" = cfg.ca.url;
+          fingerprint = cfg.ca.fingerprint;
+          root = "${cfg.certDir}/root_ca.crt";
+        };
+
         home.packages = with pkgs; lib.optionals cfg.enable [
           step-cli
           (writeShellScriptBin "mtls-generate" ''