john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added mk functions for home manager side

Browse Source
This commit is contained in:
John Lancaster
2026-03-16 12:04:23 -05:00
parent 3af6ab0819
commit 4af0cf7ca7
1 changed files with 90 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

119
modules/services/step-ca/mtls.nix
View File

@@ -74,37 +74,24 @@ let
}; };
}; };
mkMtlsRenewService = { mkMtlsRenewScript = {
pkgs, pkgs,
tlsCert, tlsCert,
tlsKey, tlsKey,
mtlsBundle, mtlsBundle,
reloadUnits ? [ ], reloadUnits ? [ ],
postCommands ? [ ], postCommands ? [ ],
user ? "root", systemctlArgs ? [ ],
group ? null,
}: }:
let let
serviceGroup = if group == null then user else group;
renewReloadScript = lib.concatMapStringsSep "\n" (unit: '' renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${lib.getExe' pkgs.systemd "systemctl"} --quiet is-active "${unit}"; then if ${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} --quiet is-active "${unit}"; then
${lib.getExe' pkgs.systemd "systemctl"} try-reload-or-restart "${unit}" ${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} try-reload-or-restart "${unit}"
fi fi
'') reloadUnits; '') reloadUnits;
renewPostCommands = lib.concatStringsSep "\n" postCommands; renewPostCommands = lib.concatStringsSep "\n" postCommands;
in in
{ pkgs.writeShellScript "mtls-renew" ''
description = "Renew the mTLS certificate when Smallstep marks it ready";
wantedBy = [ ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
serviceConfig = {
Type = "oneshot";
User = user;
Group = serviceGroup;
};
script = ''
set -euo pipefail set -euo pipefail
if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then
@@ -135,9 +122,38 @@ let
${renewReloadScript} ${renewReloadScript}
${renewPostCommands} ${renewPostCommands}
''; '';
mkNixosMtlsRenewService = {
pkgs,
tlsCert,
tlsKey,
mtlsBundle,
reloadUnits ? [ ],
postCommands ? [ ],
user ? "root",
group ? null,
}:
let
serviceGroup = if group == null then user else group;
renewScript = mkMtlsRenewScript {
inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands;
};
in
{
description = "Renew the mTLS certificate when Smallstep marks it ready";
wantedBy = [ ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
serviceConfig = {
Type = "oneshot";
User = user;
Group = serviceGroup;
};
script = builtins.readFile renewScript;
}; };
mkMtlsRenewTimer = { mkNixosMtlsRenewTimer = {
onCalendar, onCalendar,
randomizedDelaySec, randomizedDelaySec,
unit ? "mtls-renew.service", unit ? "mtls-renew.service",
@@ -153,7 +169,52 @@ let
}; };
}; };
mkHomeManagerMtlsRenewService = {
pkgs,
tlsCert,
tlsKey,
mtlsBundle,
reloadUnits ? [ ],
postCommands ? [ ],
}:
let
renewScript = mkMtlsRenewScript {
inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands;
systemctlArgs = [ "--user" ];
};
in
{
Unit = {
Description = "Renew the mTLS certificate when Smallstep marks it ready";
After = [ "network-online.target" ];
Wants = [ "network-online.target" ];
};
Service = {
Type = "oneshot";
ExecStart = "${renewScript}";
};
};
mkHomeManagerMtlsRenewTimer = {
onCalendar,
randomizedDelaySec,
unit ? "mtls-renew.service",
}: {
Unit = {
Description = "Periodic Smallstep renewal for the mTLS certificate";
};
Timer = {
Persistent = true;
OnCalendar = onCalendar;
AccuracySec = "1us";
RandomizedDelaySec = randomizedDelaySec;
Unit = unit;
};
Install = {
WantedBy = [ "timers.target" ];
};
};
in in
{ {
flake.modules.nixos.mtls = { config, lib, pkgs, ... }: flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
@@ -188,12 +249,12 @@ in
'') '')
]; ];
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewService { systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
inherit pkgs tlsCert tlsKey mtlsBundle; inherit pkgs tlsCert tlsKey mtlsBundle;
inherit (cfg.renew) reloadUnits postCommands user group; inherit (cfg.renew) reloadUnits postCommands user group;
}); });
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewTimer { systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer {
inherit (cfg.renew) onCalendar randomizedDelaySec; inherit (cfg.renew) onCalendar randomizedDelaySec;
}); });
}; };
@@ -237,14 +298,14 @@ in
'') '')
]; ];
# systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewService { systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {
# inherit pkgs tlsCert tlsKey mtlsBundle; inherit pkgs tlsCert tlsKey mtlsBundle;
# inherit (cfg.renew) reloadUnits postCommands group; inherit (cfg.renew) reloadUnits postCommands;
# }); });
# systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkMtlsRenewTimer { systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer {
# inherit (cfg.renew) onCalendar randomizedDelaySec; inherit (cfg.renew) onCalendar randomizedDelaySec;
# }); });
}; };
}; };
} }