From 3800ae7502c6c23f3ec1f2181618427397b5f425 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sun, 15 Mar 2026 20:32:49 -0500
Subject: [PATCH] mtls options

---
 modules/hosts/janus.nix           |  1 +
 modules/services/step-ca/mtls.nix | 54 +++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 modules/services/step-ca/mtls.nix

diff --git a/modules/hosts/janus.nix b/modules/hosts/janus.nix
index 985e7ff..f914aee 100644
--- a/modules/hosts/janus.nix
+++ b/modules/hosts/janus.nix
@@ -14,6 +14,7 @@ in
       nixos.zsh
       nixos.docker
       nixos.login-text
+      nixos.mtls
       {
         networking.hostName = hostname;
         step-ssh-host = {
diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix
new file mode 100644
index 0000000..fa6c54e
--- /dev/null
+++ b/modules/services/step-ca/mtls.nix
@@ -0,0 +1,54 @@
+{ inputs, ... }:
+{
+  flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
+  let
+    certDir = config.mtls.certDir;
+    tlsKey = "${certDir}/${config.mtls.keyFilename}";
+    tlsCert = "${certDir}/${config.mtls.certFilename}";
+    mtlsBundle = "${certDir}/${config.mtls.bundleFilename}";
+  in
+  {
+    options.mtls = {
+      enable = lib.mkEnableOption "Enable mTLS";
+      certDir = lib.mkOption {
+        description = "String path to where the mtls certs will be stored.";
+        type = lib.types.str;
+        default = "/var/lib/tls";
+      };
+      keyFilename = lib.mkOption {
+        description = "String filename for the private key";
+        type = lib.types.str;
+        default = "key.pem";
+      };
+      certFilename = lib.mkOption {
+        description = "String filename for the public certificate";
+        type = lib.types.str;
+        default = "cert.pem";
+      };
+      bundleFilename = lib.mkOption {
+        description = "String filename for the mTLS key bundle";
+        type = lib.types.str;
+        default = "mtls.pem";
+      };
+    };
+
+    config = {
+      environment.systemPackages = with pkgs; [
+        (writeShellScriptBin "mtls-generate" ''
+          ${lib.getExe pkgs.step-cli} ca certificate \
+            john-pc-ubuntu ${tlsCert} ${tlsKey} \
+            --provisioner admin \
+            --san 192.168.1.85 \
+            --san spiffe://john-stream.com/ubuntu
+          cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
+        '')
+        (writeShellScriptBin "mtls-check" ''
+          ${lib.getExe pkgs.openssl} x509 \
+          -noout -subject -issuer \
+          -ext subjectAltName,extendedKeyUsage \
+          -enddate -in ${mtlsBundle}
+        '')
+      ];
+    };
+  };
+}
\ No newline at end of file