diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix index 02fe517..e5453c7 100644 --- a/modules/features/mtls.nix +++ b/modules/features/mtls.nix @@ -114,17 +114,6 @@ let printf '\033[32m✔\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile} ''; }; - - mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellApplication { - name = "mtls-check"; - runtimeInputs = with pkgs; [ openssl ]; - text = '' - openssl x509 -noout -in ${bundleFile} \ - -subject -issuer \ - -ext subjectAltName,extendedKeyUsage \ - -enddate - ''; - }; mkMtlsRenewScript = { pkgs, @@ -291,7 +280,10 @@ in inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime; inherit (cfg.renew) user group; }) - (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; }) + (inputs.self.wrappers.mtlsCheck.apply { + inherit pkgs; + inherit (cfg) bundleFile; + }).wrapper (mkMtlsRenewScript { inherit pkgs cfg; }) ]; @@ -334,7 +326,10 @@ in inherit (cfg) subject provisioner san lifetime; inherit (cfg.renew) user group; }) - (mkMtlsCheckScript { inherit pkgs bundleFile; }) + (inputs.self.wrappers.mtlsCheck.apply { + inherit pkgs; + inherit (cfg) bundleFile; + }).wrapper # (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; }) (inputs.self.wrappers.mtlsRenew.apply { inherit pkgs; @@ -356,6 +351,29 @@ in }; flake.wrappers = { + mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: { + options = { + bundleFile = lib.mkOption { + description = "String path for the mTLS key bundle"; + type = lib.types.str; + }; + }; + + config = { + binName = "mtls-check"; + package = config.pkgs.openssl; + args = [ + "x509" + "-noout" + "-in" config.bundleFile + "-subject" + "-issuer" + "-ext" "subjectAltName,extendedKeyUsage" + "-enddate" + ]; + }; + }); + mtlsNeedsRenewal = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: { options = { certFile = lib.mkOption {