added mk functions for home manager side
This commit is contained in:
John Lancaster
@@ -74,37 +74,24 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
mkMtlsRenewService = {
|
||||
mkMtlsRenewScript = {
|
||||
pkgs,
|
||||
tlsCert,
|
||||
tlsKey,
|
||||
mtlsBundle,
|
||||
reloadUnits ? [ ],
|
||||
postCommands ? [ ],
|
||||
user ? "root",
|
||||
group ? null,
|
||||
systemctlArgs ? [ ],
|
||||
}:
|
||||
let
|
||||
serviceGroup = if group == null then user else group;
|
||||
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
|
||||
if ${lib.getExe' pkgs.systemd "systemctl"} --quiet is-active "${unit}"; then
|
||||
${lib.getExe' pkgs.systemd "systemctl"} try-reload-or-restart "${unit}"
|
||||
if ${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} --quiet is-active "${unit}"; then
|
||||
${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} try-reload-or-restart "${unit}"
|
||||
fi
|
||||
'') reloadUnits;
|
||||
renewPostCommands = lib.concatStringsSep "\n" postCommands;
|
||||
in
|
||||
{
|
||||
description = "Renew the mTLS certificate when Smallstep marks it ready";
|
||||
wantedBy = [ ];
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = user;
|
||||
Group = serviceGroup;
|
||||
};
|
||||
script = ''
|
||||
pkgs.writeShellScript "mtls-renew" ''
|
||||
set -euo pipefail
|
||||
|
||||
if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then
|
||||
@@ -135,9 +122,38 @@ let
|
||||
${renewReloadScript}
|
||||
${renewPostCommands}
|
||||
'';
|
||||
|
||||
mkNixosMtlsRenewService = {
|
||||
pkgs,
|
||||
tlsCert,
|
||||
tlsKey,
|
||||
mtlsBundle,
|
||||
reloadUnits ? [ ],
|
||||
postCommands ? [ ],
|
||||
user ? "root",
|
||||
group ? null,
|
||||
}:
|
||||
let
|
||||
serviceGroup = if group == null then user else group;
|
||||
renewScript = mkMtlsRenewScript {
|
||||
inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands;
|
||||
};
|
||||
in
|
||||
{
|
||||
description = "Renew the mTLS certificate when Smallstep marks it ready";
|
||||
wantedBy = [ ];
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = user;
|
||||
Group = serviceGroup;
|
||||
};
|
||||
script = builtins.readFile renewScript;
|
||||
};
|
||||
|
||||
mkMtlsRenewTimer = {
|
||||
mkNixosMtlsRenewTimer = {
|
||||
onCalendar,
|
||||
randomizedDelaySec,
|
||||
unit ? "mtls-renew.service",
|
||||
@@ -153,7 +169,52 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
mkHomeManagerMtlsRenewService = {
|
||||
pkgs,
|
||||
tlsCert,
|
||||
tlsKey,
|
||||
mtlsBundle,
|
||||
reloadUnits ? [ ],
|
||||
postCommands ? [ ],
|
||||
}:
|
||||
let
|
||||
renewScript = mkMtlsRenewScript {
|
||||
inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands;
|
||||
systemctlArgs = [ "--user" ];
|
||||
};
|
||||
in
|
||||
{
|
||||
Unit = {
|
||||
Description = "Renew the mTLS certificate when Smallstep marks it ready";
|
||||
After = [ "network-online.target" ];
|
||||
Wants = [ "network-online.target" ];
|
||||
};
|
||||
Service = {
|
||||
Type = "oneshot";
|
||||
ExecStart = "${renewScript}";
|
||||
};
|
||||
};
|
||||
|
||||
mkHomeManagerMtlsRenewTimer = {
|
||||
onCalendar,
|
||||
randomizedDelaySec,
|
||||
unit ? "mtls-renew.service",
|
||||
}: {
|
||||
Unit = {
|
||||
Description = "Periodic Smallstep renewal for the mTLS certificate";
|
||||
};
|
||||
Timer = {
|
||||
Persistent = true;
|
||||
OnCalendar = onCalendar;
|
||||
AccuracySec = "1us";
|
||||
RandomizedDelaySec = randomizedDelaySec;
|
||||
Unit = unit;
|
||||
};
|
||||
Install = {
|
||||
WantedBy = [ "timers.target" ];
|
||||
};
|
||||
};
|
||||
|
||||
in
|
||||
{
|
||||
flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
|
||||
@@ -188,12 +249,12 @@ in
|
||||
'')
|
||||
];
|
||||
|
||||
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewService {
|
||||
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
|
||||
inherit pkgs tlsCert tlsKey mtlsBundle;
|
||||
inherit (cfg.renew) reloadUnits postCommands user group;
|
||||
});
|
||||
|
||||
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewTimer {
|
||||
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer {
|
||||
inherit (cfg.renew) onCalendar randomizedDelaySec;
|
||||
});
|
||||
};
|
||||
@@ -237,14 +298,14 @@ in
|
||||
'')
|
||||
];
|
||||
|
||||
# systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewService {
|
||||
# inherit pkgs tlsCert tlsKey mtlsBundle;
|
||||
# inherit (cfg.renew) reloadUnits postCommands group;
|
||||
# });
|
||||
systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {
|
||||
inherit pkgs tlsCert tlsKey mtlsBundle;
|
||||
inherit (cfg.renew) reloadUnits postCommands;
|
||||
});
|
||||
|
||||
# systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewTimer {
|
||||
# inherit (cfg.renew) onCalendar randomizedDelaySec;
|
||||
# });
|
||||
systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer {
|
||||
inherit (cfg.renew) onCalendar randomizedDelaySec;
|
||||
});
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user