From 710f13ace41071956390a0254d49ea3e27fc5daa Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Sat, 4 Apr 2026 09:33:08 -0500 Subject: [PATCH] renew script tweaks --- modules/features/mtls.nix | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix index 054cabc..e1c52e5 100644 --- a/modules/features/mtls.nix +++ b/modules/features/mtls.nix @@ -139,12 +139,11 @@ let echoCmd = lib.getExe' pkgs.coreutils "echo"; chownCmd = lib.getExe' pkgs.coreutils "chown"; chmodCmd = lib.getExe' pkgs.coreutils "chmod"; - systemctl = lib.getExe' pkgs.systemd "systemctl"; - escapedArgs = lib.escapeShellArgs systemctlArgs; - systemctlCommand = "${systemctl} ${escapedArgs}"; + stepCmd = lib.getExe pkgs.step-cli; + systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}"; renewReloadScript = lib.concatMapStringsSep "\n" (unit: '' - if ${systemctlCommand} --quiet is-active "${unit}"; then - ${systemctlCommand} try-reload-or-restart "${unit}" + if ${systemctlCmd} --quiet is-active "${unit}"; then + ${systemctlCmd} try-reload-or-restart "${unit}" fi '') reloadUnits; renewPostCommands = lib.concatStringsSep "\n" postCommands; @@ -152,14 +151,14 @@ let pkgs.writeShellScriptBin "mtls-renew" '' set -euo pipefail - if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${certFile}"; then + if ${stepCmd} certificate needs-renewal "${certFile}"; then ${echoCmd} "Renewing mTLS certificate" else ${echoCmd} "Skipping renew" exit "$?" fi - ${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}" + ${stepCmd} ca renew --force "${certFile}" "${keyFile}" (umask 077; ${catCmd} "${certFile}" "${keyFile}" > "${bundleFile}") ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile} ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}