From 4af0cf7ca756ff7edb21ba2378c99072643279bf Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Mon, 16 Mar 2026 12:04:23 -0500
Subject: [PATCH] added mk functions for home manager side

---
 modules/services/step-ca/mtls.nix | 119 ++++++++++++++++++++++--------
 1 file changed, 90 insertions(+), 29 deletions(-)

diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix
index 8e4ebeb..f55c1d5 100644
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -74,37 +74,24 @@ let
     };
   };
 
-  mkMtlsRenewService = {
+  mkMtlsRenewScript = {
     pkgs,
     tlsCert,
     tlsKey,
     mtlsBundle,
     reloadUnits ? [ ],
     postCommands ? [ ],
-    user ? "root",
-    group ? null,
+    systemctlArgs ? [ ],
   }:
   let
-    serviceGroup = if group == null then user else group;
     renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
-      if ${lib.getExe' pkgs.systemd "systemctl"} --quiet is-active "${unit}"; then
-        ${lib.getExe' pkgs.systemd "systemctl"} try-reload-or-restart "${unit}"
+      if ${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} --quiet is-active "${unit}"; then
+        ${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} try-reload-or-restart "${unit}"
       fi
     '') reloadUnits;
     renewPostCommands = lib.concatStringsSep "\n" postCommands;
   in
-  {
-    description = "Renew the mTLS certificate when Smallstep marks it ready";
-    wantedBy = [ ];
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-    path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
-    serviceConfig = {
-      Type = "oneshot";
-      User = user;
-      Group = serviceGroup;
-    };
-    script = ''
+    pkgs.writeShellScript "mtls-renew" ''
       set -euo pipefail
 
       if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then
@@ -135,9 +122,38 @@ let
       ${renewReloadScript}
       ${renewPostCommands}
     '';
+
+  mkNixosMtlsRenewService = {
+    pkgs,
+    tlsCert,
+    tlsKey,
+    mtlsBundle,
+    reloadUnits ? [ ],
+    postCommands ? [ ],
+    user ? "root",
+    group ? null,
+  }:
+  let
+    serviceGroup = if group == null then user else group;
+    renewScript = mkMtlsRenewScript {
+      inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands;
+    };
+  in
+  {
+    description = "Renew the mTLS certificate when Smallstep marks it ready";
+    wantedBy = [ ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
+    serviceConfig = {
+      Type = "oneshot";
+      User = user;
+      Group = serviceGroup;
+    };
+    script = builtins.readFile renewScript;
   };
 
-  mkMtlsRenewTimer = {
+  mkNixosMtlsRenewTimer = {
     onCalendar,
     randomizedDelaySec,
     unit ? "mtls-renew.service",
@@ -153,7 +169,52 @@ let
     };
   };
 
-  
+  mkHomeManagerMtlsRenewService = {
+    pkgs,
+    tlsCert,
+    tlsKey,
+    mtlsBundle,
+    reloadUnits ? [ ],
+    postCommands ? [ ],
+  }:
+  let
+    renewScript = mkMtlsRenewScript {
+      inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands;
+      systemctlArgs = [ "--user" ];
+    };
+  in
+  {
+    Unit = {
+      Description = "Renew the mTLS certificate when Smallstep marks it ready";
+      After = [ "network-online.target" ];
+      Wants = [ "network-online.target" ];
+    };
+    Service = {
+      Type = "oneshot";
+      ExecStart = "${renewScript}";
+    };
+  };
+
+  mkHomeManagerMtlsRenewTimer = {
+    onCalendar,
+    randomizedDelaySec,
+    unit ? "mtls-renew.service",
+  }: {
+    Unit = {
+      Description = "Periodic Smallstep renewal for the mTLS certificate";
+    };
+    Timer = {
+      Persistent = true;
+      OnCalendar = onCalendar;
+      AccuracySec = "1us";
+      RandomizedDelaySec = randomizedDelaySec;
+      Unit = unit;
+    };
+    Install = {
+      WantedBy = [ "timers.target" ];
+    };
+  };
+
 in
 {
   flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
@@ -188,12 +249,12 @@ in
         '')
       ];
 
-      systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewService {
+      systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
         inherit pkgs tlsCert tlsKey mtlsBundle;
         inherit (cfg.renew) reloadUnits postCommands user group;
       });
 
-      systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewTimer {
+      systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer {
         inherit (cfg.renew) onCalendar randomizedDelaySec;
       });
     };
@@ -237,14 +298,14 @@ in
         '')
       ];
 
-      # systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewService {
-      #   inherit pkgs tlsCert tlsKey mtlsBundle;
-      #   inherit (cfg.renew) reloadUnits postCommands group;
-      # });
+      systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {
+        inherit pkgs tlsCert tlsKey mtlsBundle;
+        inherit (cfg.renew) reloadUnits postCommands;
+      });
 
-      # systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewTimer {
-      #   inherit (cfg.renew) onCalendar randomizedDelaySec;
-      # });
+      systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer {
+        inherit (cfg.renew) onCalendar randomizedDelaySec;
+      });
     };
   };
 }
\ No newline at end of file