john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP CA bootstrap rework

Browse Source
This commit is contained in:
John Lancaster
2026-03-25 17:55:31 -05:00
parent f8c09878a1
commit 7b0f419454
7 changed files with 11 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/services/step-ca/mtls.nix
-16
View File
@@ -3,14 +3,6 @@ let
# Options that will be in common between
opts = {
enable = lib.mkEnableOption "Enable mTLS";
ca = {
url = lib.mkOption {
type = lib.types.str;
};
fingerprint = lib.mkOption {
type = lib.types.str;
};
};
subject = lib.mkOption {
description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
type = lib.types.str;
@@ -221,7 +213,6 @@ in
tlsKey = "${certDir}/${cfg.keyFilename}";
tlsCert = "${certDir}/${cfg.certFilename}";
mtlsBundle = "${certDir}/${cfg.bundleFilename}";
rootCA = "${certDir}/root_ca.crt";
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
in
{
@@ -264,7 +255,6 @@ in
tlsKey = "${certDir}/${cfg.keyFilename}";
tlsCert = "${certDir}/${cfg.certFilename}";
mtlsBundle = "${certDir}/${cfg.bundleFilename}";
rootCA = "${certDir}/root_ca.crt";
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
in
{
@@ -277,12 +267,6 @@ in
};
config = {
home.file.".step/config/defaults.json".text = builtins.toJSON {
"ca-url" = cfg.ca.url;
fingerprint = cfg.ca.fingerprint;
root = "${cfg.certDir}/root_ca.crt";
};
home.packages = with pkgs; lib.optionals cfg.enable [
step-cli
(writeShellScriptBin "mtls-generate" ''
modules/services/step-ca/ssh-host.nix
-6
View File
@@ -14,10 +14,6 @@
description = "Networking host name";
type = lib.types.str;
};
caURL = lib.mkOption {
description = "URL for the certificate authority";
type = lib.types.str;
};
rootCertFile = {
path = lib.mkOption {
description = "String path to where the root_ca.crt file will be stored for the user";
@@ -55,8 +51,6 @@
(writeShellScriptBin "ssh-host-cert-renew" ''
${lib.getExe pkgs.step-cli} ssh certificate \
--host --sign \
--root "${rootCertPath}" \
--ca-url ${cfg.caURL} \
--provisioner "${cfg.provisioner}" \
--provisioner-password-file "${provisionerPasswordPath}" \
--principal "${cfg.hostname}" \