soteria mtls cleanup

2026-03-24 22:01:07 -05:00
parent b6be6eba68
commit 6bf45ce941
1 changed files with 11 additions and 38 deletions
@@ -26,42 +26,6 @@ in
          hostname = hostname;
          caURL = caURL;
        };
-        sops.defaultSopsFile = ./secrets.yaml;
-        sops.secrets."janus/admin_password" = {
-          owner = "${hostname}";
-        };
-        # mtls = {
-        #   enable = true;
-        #   subject = hostname;
-        #   caURL = caURL;
-        #   san = [
-        #     "${hostname}.john-stream.com"
-        #     # "192.168.1.244"
-        #   ];
-        # };
-
-        # restic.envoy = {
-        #   enable = true;
-        #   port = 10000;
-        #   spiffePrefix = "spiffe://john-stream.com";
-        #   upstreamHost = "127.0.0.1";
-        #   upstreamPort = 8000;
-        #   logLevel = "debug";
-        #   policies = {
-        #     ubuntu-policy = {
-        #       pathPrefix = "/john-ubuntu";
-        #       principal = "spiffe://john-stream.com/ubuntu";
-        #     };
-        #     p14-policy = {
-        #       pathPrefix = "/john-p14s";
-        #       principal = "spiffe://john-stream.com/john-p14s";
-        #     };
-        #     gitea-policy = {
-        #       pathPrefix = "/gitea";
-        #       principal = "spiffe://john-stream.com/gitea";
-        #     };
-        #   };
-        # };

        home-manager.users."${username}" = {
          imports = with inputs.self.modules; [
@@ -72,17 +36,19 @@ in
    ];
  };

-  flake.modules.homeManager."${hostname}" = { config, ... }: {
+  flake.modules.homeManager."${hostname}" = { config, lib, pkgs, ... }: {
    imports = with inputs.self.modules; [
      homeManager.rebuild
      homeManager.mysops
      homeManager.mtls
+      homeManager.docker
    ];

    homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
    home.username = "${username}";
    home.homeDirectory = "/home/${username}";
    shell.program = "zsh";
+    docker.enable = true;

    home.file.".step/config/defaults.json".text = builtins.toJSON {
      "ca-url" = "https://janus.john-stream.com/";
@@ -90,6 +56,12 @@ in
      root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
    };

+    # sops.secrets."janus/admin_password" = {
+    #   path = "${config.home.homeDirectory}/.janus";
+    #   mode = "0400";
+    #   sopsFile = ./secrets.yaml;
+    # };
+
    mysops.hostSecretFile = "${config.xdg.configHome}/home-manager/modules/hosts/soteria/secrets.yaml";
    mtls = {
      enable = true;
@@ -99,8 +71,9 @@ in
        "${hostname}.john-stream.com"
        "192.168.1.142"
      ];
+      lifetime = "1h";
      renew.postCommands = [
-        "docker restart envoy"
+        "${lib.getExe pkgs.docker} restart envoy"
      ];
    };
  };