john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

generalized mtls-renew script

Browse Source
This commit is contained in:
John Lancaster
2026-03-16 12:28:05 -05:00
parent 7b258b3eb9
commit 5fb80498b5
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
modules/services/step-ca/mtls.nix
View File

@@ -91,7 +91,7 @@ let
'') reloadUnits; '') reloadUnits;
renewPostCommands = lib.concatStringsSep "\n" postCommands; renewPostCommands = lib.concatStringsSep "\n" postCommands;
in in
pkgs.writeShellScript "mtls-renew" '' pkgs.writeShellScriptBin "mtls-renew" ''
set -euo pipefail set -euo pipefail
if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then
@@ -104,7 +104,7 @@ let
${lib.getExe pkgs.step-cli} ca renew --force "${tlsCert}" "${tlsKey}" ${lib.getExe pkgs.step-cli} ca renew --force "${tlsCert}" "${tlsKey}"
umask 077 umask 077
cat "${tlsCert}" "${tlsKey}" > "${mtlsBundle}" ${lib.getExe' pkgs.coreutils "cat"} "${tlsCert}" "${tlsKey}" > "${mtlsBundle}"
${renewReloadScript} ${renewReloadScript}
${renewPostCommands} ${renewPostCommands}
@@ -131,13 +131,12 @@ let
wantedBy = [ ]; wantedBy = [ ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = user; User = user;
Group = serviceGroup; Group = serviceGroup;
ExecStart = lib.getExe renewScript;
}; };
script = builtins.readFile renewScript;
}; };
mkNixosMtlsRenewTimer = { mkNixosMtlsRenewTimer = {
@@ -178,7 +177,7 @@ let
}; };
Service = { Service = {
Type = "oneshot"; Type = "oneshot";
ExecStart = "${renewScript}"; ExecStart = lib.getExe renewScript;
}; };
}; };
@@ -283,6 +282,7 @@ in
-ext subjectAltName,extendedKeyUsage \ -ext subjectAltName,extendedKeyUsage \
-enddate -in ${mtlsBundle} -enddate -in ${mtlsBundle}
'') '')
(mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; })
]; ];
systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService { systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {