diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix index 063352e..e4e6478 100644 --- a/modules/features/mtls.nix +++ b/modules/features/mtls.nix @@ -7,6 +7,10 @@ let description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN."; type = lib.types.str; }; + certDir = lib.mkOption { + description = "String path to the directory where the certs will be stored"; + type = lib.types.str; + }; keyFilename = lib.mkOption { description = "String filename for the private key"; type = lib.types.str; @@ -74,7 +78,7 @@ let }; }; - mtlsGenerate = { + mkMtlsGenerateScript = { pkgs, subject, provisioner, @@ -88,16 +92,23 @@ let stepCmd = lib.getExe pkgs.step-cli; sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san; in - (pkgs.writeShellScriptBin "mtls-generate" '' - set -euo pipefail - ${stepCmd} ca certificate \ - ${subject} ${tlsCert} ${tlsKey} \ - --not-before=-5m --not-after=${lifetime} \ - --provisioner ${provisioner} \ - ${sanArgs} \ - "$@" - cat ${tlsCert} ${tlsKey} > ${mtlsBundle} - ''); + pkgs.writeShellScriptBin "mtls-generate" '' + set -euo pipefail + ${stepCmd} ca certificate \ + ${subject} ${tlsCert} ${tlsKey} \ + --not-before=-5m --not-after=${lifetime} \ + --provisioner ${provisioner} \ + ${sanArgs} \ + "$@" + cat ${tlsCert} ${tlsKey} > ${mtlsBundle} + ''; + + mkMtlsCheckScript = mtlsBundle: pkgs.writeShellScriptBin "mtls-check" '' + ${lib.getExe pkgs.openssl} x509 \ + -noout -subject -issuer \ + -ext subjectAltName,extendedKeyUsage \ + -enddate -in ${mtlsBundle} + '' mkMtlsRenewScript = { pkgs, @@ -238,26 +249,29 @@ in flake.modules.nixos.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; - certDir = "/etc/step/certs"; - tlsKey = "${certDir}/${cfg.keyFilename}"; - tlsCert = "${certDir}/${cfg.certFilename}"; - mtlsBundle = "${certDir}/${cfg.bundleFilename}"; + tlsKey = "${cfg.certDir}/${cfg.keyFilename}"; + tlsCert = "${cfg.certDir}/${cfg.certFilename}"; + mtlsBundle = "${cfg.certDir}/${cfg.bundleFilename}"; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; in { - options.mtls = opts; + options.mtls = opts // { + certDir = lib.mkOption { + description = "String path to where the mtls certs will be stored."; + type = lib.types.str; + default = "/etc/step/certs"; + }; + }; + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; lib.optionals cfg.enable [ - (mtlsGenerate { + step-cli + (mkMtlsGenerateScript { inherit (cfg) subject provisioner san lifetime; inherit pkgs tlsCert tlsKey mtlsBundle; }) - (writeShellScriptBin "mtls-check" '' - ${lib.getExe pkgs.openssl} x509 \ - -noout -subject -issuer \ - -ext subjectAltName,extendedKeyUsage \ - -enddate -in ${mtlsBundle} - '') + (mkMtlsCheckScript { inherit (cfg) mtlsBundle; }) + (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; }) ]; systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService { @@ -284,23 +298,18 @@ in certDir = lib.mkOption { description = "String path to where the mtls certs will be stored."; type = lib.types.str; - default ="${config.home.homeDirectory}/.step/certs"; + default = "${config.home.homeDirectory}/.step/certs"; }; }; config = { home.packages = with pkgs; lib.optionals cfg.enable [ step-cli - (mtlsGenerate { + (mkMtlsGenerateScript { inherit (cfg) subject provisioner san lifetime; inherit pkgs tlsCert tlsKey mtlsBundle; }) - (writeShellScriptBin "mtls-check" '' - ${lib.getExe pkgs.openssl} x509 \ - -noout -subject -issuer \ - -ext subjectAltName,extendedKeyUsage \ - -enddate -in ${mtlsBundle} - '') + (mkMtlsCheckScript { inherit (cfg) mtlsBundle; }) (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; }) ];