john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

moved step-ca defaults file for mtls

Browse Source
This commit is contained in:
John Lancaster
2026-03-24 22:24:14 -05:00
parent 6bf45ce941
commit 33ccad5bf6
3 changed files with 22 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/hosts/john-pc-ubuntu.nix
+4 -2
View File
@@ -86,9 +86,11 @@ in
}; };
mtls = { mtls = {
enable = true; enable = true;
caURL = "https://janus.john-stream.com/";
provisioner = "admin";
subject = hostname; subject = hostname;
ca = {
url = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
};
san = [ san = [
"${hostname}" "${hostname}"
"192.168.1.85" "192.168.1.85"
modules/hosts/soteria/soteria.nix
+5 -7
View File
@@ -50,12 +50,6 @@ in
shell.program = "zsh"; shell.program = "zsh";
docker.enable = true; docker.enable = true;
home.file.".step/config/defaults.json".text = builtins.toJSON {
"ca-url" = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
};
# sops.secrets."janus/admin_password" = { # sops.secrets."janus/admin_password" = {
# path = "${config.home.homeDirectory}/.janus"; # path = "${config.home.homeDirectory}/.janus";
# mode = "0400"; # mode = "0400";
@@ -66,12 +60,16 @@ in
mtls = { mtls = {
enable = true; enable = true;
subject = hostname; subject = hostname;
caURL = "https://janus.john-stream.com/"; ca = {
url = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
};
san = [ san = [
"${hostname}.john-stream.com" "${hostname}.john-stream.com"
"192.168.1.142" "192.168.1.142"
]; ];
lifetime = "1h"; lifetime = "1h";
renew.onCalendar = "*:3/15";
renew.postCommands = [ renew.postCommands = [
"${lib.getExe pkgs.docker} restart envoy" "${lib.getExe pkgs.docker} restart envoy"
]; ];
modules/services/step-ca/mtls.nix
+12 -4
View File
@@ -3,10 +3,14 @@ let
# Options that will be in common between # Options that will be in common between
opts = { opts = {
enable = lib.mkEnableOption "Enable mTLS"; enable = lib.mkEnableOption "Enable mTLS";
caURL = lib.mkOption { ca = {
description = "URL to the certificate authority"; url = lib.mkOption {
type = lib.types.str; type = lib.types.str;
}; };
fingerprint = lib.mkOption {
type = lib.types.str;
};
};
subject = lib.mkOption { subject = lib.mkOption {
description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN."; description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
type = lib.types.str; type = lib.types.str;
@@ -228,8 +232,6 @@ in
set -euo pipefail set -euo pipefail
${lib.getExe pkgs.step-cli} ca certificate \ ${lib.getExe pkgs.step-cli} ca certificate \
${cfg.subject} ${tlsCert} ${tlsKey} \ ${cfg.subject} ${tlsCert} ${tlsKey} \
--ca-url ${cfg.caURL} \
--root ${rootCA} \
--provisioner ${cfg.provisioner} \ --provisioner ${cfg.provisioner} \
--not-before=-5m --not-after=${cfg.lifetime} \ --not-before=-5m --not-after=${cfg.lifetime} \
${sanArgs} \ ${sanArgs} \
@@ -275,6 +277,12 @@ in
}; };
config = { config = {
home.file.".step/config/defaults.json".text = builtins.toJSON {
"ca-url" = cfg.ca.url;
fingerprint = cfg.ca.fingerprint;
root = "${cfg.certDir}/root_ca.crt";
};
home.packages = with pkgs; lib.optionals cfg.enable [ home.packages = with pkgs; lib.optionals cfg.enable [
step-cli step-cli
(writeShellScriptBin "mtls-generate" '' (writeShellScriptBin "mtls-generate" ''