diff --git a/modules/hosts/janus/default.nix b/modules/hosts/janus/default.nix index 4f0432b..29cf427 100644 --- a/modules/hosts/janus/default.nix +++ b/modules/hosts/janus/default.nix @@ -2,12 +2,36 @@ let username = "john"; hostname = "janus"; + ca-url = "https://janus.john-stream.com/"; + fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; + in { + flake.modules.nixos.janus-ca = { config, lib, ... }: + let + johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config; + johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config; + mkStepRules = home: user: group: [ + "d ${home}/.step 0700 ${user} ${group} -" + "d ${home}/.step/config 0700 ${user} ${group} -" + "d ${home}/.step/certs 0700 ${user} ${group} -" + "L+ ${home}/.step/config/defaults.json - - - - /etc/step/config/defaults.json" + "L+ ${home}/.step/certs/root_ca.crt - - - - /etc/step/certs/root_ca.crt" + ]; + in { + environment.etc."step/config/defaults.json".text = builtins.toJSON { + inherit ca-url fingerprint; + root = "/etc/step/certs/root_ca.crt"; + }; + environment.etc."step/certs/root_ca.crt".source = ./root_ca.crt; + systemd.tmpfiles.rules = + mkStepRules johnHome username johnGroup + ++ mkStepRules "/root" "root" "root"; + }; + flake.modules.homeManager.janus-ca = { config, ... }: { home.file.".step/config/defaults.json".text = builtins.toJSON { - "ca-url" = "https://janus.john-stream.com/"; - fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; + inherit ca-url fingerprint; root = "${config.home.homeDirectory}/.step/certs/root_ca.crt"; }; home.file.".step/certs/root_ca.crt".source = ./root_ca.crt; @@ -18,6 +42,7 @@ in nixos.lxc nixos.mysops nixos.step-ssh-host + nixos.janus-ca inputs.home-manager.nixosModules.home-manager nixos."${username}" nixos.docker @@ -41,7 +66,6 @@ in imports = with inputs.self.modules.homeManager; [ mysops step-ssh-user - janus-ca ]; shell.program = "zsh"; docker.enable = true; diff --git a/modules/hosts/john-p14s/configuration.nix b/modules/hosts/john-p14s/configuration.nix index 53dfcca..4fb232e 100644 --- a/modules/hosts/john-p14s/configuration.nix +++ b/modules/hosts/john-p14s/configuration.nix @@ -106,7 +106,6 @@ home-manager.users.root = { imports = with inputs.self.modules.homeManager; [ rebuild - janus-ca ]; home.stateVersion = "25.11"; }; @@ -115,7 +114,6 @@ desktop mysops rebuild - janus-ca { my-vscode.enable = true; mysops.hostSecretFile = "${flakeDir}/modules/hosts/john-p14s/secrets.yaml"; diff --git a/modules/hosts/john-p14s/default.nix b/modules/hosts/john-p14s/default.nix index 1358df1..e2d7673 100644 --- a/modules/hosts/john-p14s/default.nix +++ b/modules/hosts/john-p14s/default.nix @@ -12,6 +12,7 @@ "${inputs.nixos-hardware}/lenovo/thinkpad/p14s/amd/gen4" ] ++ (with self.modules.nixos; [ p14sConfiguration + janus-ca rebuild sudo john diff --git a/modules/hosts/john-pc/default.nix b/modules/hosts/john-pc/default.nix index 82b6235..ada44ed 100644 --- a/modules/hosts/john-pc/default.nix +++ b/modules/hosts/john-pc/default.nix @@ -17,6 +17,7 @@ in resticPasswordFile = "${config.xdg.configHome}/restic/password.txt"; testPushCmd = (pkgs.writeShellScriptBin "test-push" '' + ${lib.getExe' pkgs.coreutils "echo"} "Pushing ${testHost} to ${testTarget}" ${lib.getExe' pkgs.coreutils "mkdir"} -p /var/tmp/nix-build ${lib.getExe' pkgs.coreutils "chmod"} 1777 /var/tmp/nix-build ${lib.getExe pkgs.nixos-rebuild} switch \ diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix index 1ee7799..1ae376d 100644 --- a/modules/hosts/soteria/soteria.nix +++ b/modules/hosts/soteria/soteria.nix @@ -1,4 +1,4 @@ -{ inputs, lib, ... }: +{ self, inputs, lib, ... }: let username = "john"; hostname = "soteria"; @@ -11,11 +11,26 @@ in nixos.mysops nixos.step-ssh-host nixos.login-text - # nixos.mtls + nixos.docker + nixos.mtls + nixos.janus-ca # nixos.restic-server # nixos.restic-envoy - { + ({ pkgs, ... }: { networking.hostName = hostname; + mtls = { + enable = true; + subject = hostname; + san = [ + "${hostname}.john-stream.com" + "192.168.1.142" + ]; + lifetime = "1h"; + renew.onCalendar = "*:3/15"; + renew.postCommands = [ + "${lib.getExe pkgs.docker} restart envoy" + ]; + }; # Removes password for sudo security.sudo-rs.extraRules = lib.mkAfter [ @@ -39,12 +54,13 @@ in # This provides the secrets at install time sops.defaultSopsFile = ./secrets.yaml; + programs.zsh.enable = true; home-manager.users."${username}" = { imports = with inputs.self.modules; [ homeManager."${hostname}" ]; }; - } + }) ]; }; @@ -52,9 +68,6 @@ in imports = with inputs.self.modules; [ homeManager.rebuild homeManager.mysops - homeManager.janus-ca - homeManager.mtls - homeManager.docker ]; homeManagerFlakeDir = "${config.xdg.configHome}/home-manager"; @@ -63,20 +76,6 @@ in # This will provide the edit-secrets script targeting this file mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml"; - - mtls = { - enable = true; - subject = hostname; - san = [ - "${hostname}.john-stream.com" - "192.168.1.142" - ]; - lifetime = "1h"; - renew.onCalendar = "*:3/15"; - renew.postCommands = [ - "${lib.getExe pkgs.docker} restart envoy" - ]; - }; }; flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {