mtls working on soteria

modules/hosts/janus/default.nix

@@ -2,12 +2,36 @@
 let
   username = "john";
   hostname = "janus";
+  ca-url = "https://janus.john-stream.com/";
+  fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
+
 in
 {
+  flake.modules.nixos.janus-ca = { config, lib, ... }:
+  let
+    johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config;
+    johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config;
+    mkStepRules = home: user: group: [
+      "d ${home}/.step 0700 ${user} ${group} -"
+      "d ${home}/.step/config 0700 ${user} ${group} -"
+      "d ${home}/.step/certs 0700 ${user} ${group} -"
+      "L+ ${home}/.step/config/defaults.json - - - - /etc/step/config/defaults.json"
+      "L+ ${home}/.step/certs/root_ca.crt - - - - /etc/step/certs/root_ca.crt"
+    ];
+  in {
+    environment.etc."step/config/defaults.json".text = builtins.toJSON {
+      inherit ca-url fingerprint;
+      root = "/etc/step/certs/root_ca.crt";
+    };
+    environment.etc."step/certs/root_ca.crt".source = ./root_ca.crt;
+    systemd.tmpfiles.rules =
+      mkStepRules johnHome username johnGroup
+      ++ mkStepRules "/root" "root" "root";
+  };
+
   flake.modules.homeManager.janus-ca = { config, ... }: {
     home.file.".step/config/defaults.json".text = builtins.toJSON {
-      "ca-url" = "https://janus.john-stream.com/";
+      inherit ca-url fingerprint;
-      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
       root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
     };
     home.file.".step/certs/root_ca.crt".source = ./root_ca.crt;
@@ -18,6 +42,7 @@ in
       nixos.lxc
       nixos.mysops
       nixos.step-ssh-host
+      nixos.janus-ca
       inputs.home-manager.nixosModules.home-manager
       nixos."${username}"
       nixos.docker
@@ -41,7 +66,6 @@ in
           imports = with inputs.self.modules.homeManager; [
             mysops
             step-ssh-user
-            janus-ca
           ];
           shell.program = "zsh";
           docker.enable = true;

modules/hosts/john-p14s/configuration.nix

@@ -106,7 +106,6 @@
       home-manager.users.root = {
         imports = with inputs.self.modules.homeManager; [
           rebuild
-          janus-ca
         ];
         home.stateVersion = "25.11";
       };
@@ -115,7 +114,6 @@
         desktop
         mysops
         rebuild
-        janus-ca
         {
           my-vscode.enable = true;
           mysops.hostSecretFile = "${flakeDir}/modules/hosts/john-p14s/secrets.yaml";

modules/hosts/john-p14s/default.nix

@@ -12,6 +12,7 @@
       "${inputs.nixos-hardware}/lenovo/thinkpad/p14s/amd/gen4"
     ] ++ (with self.modules.nixos; [
       p14sConfiguration
+      janus-ca
       rebuild
       sudo
       john

modules/hosts/john-pc/default.nix

@@ -17,6 +17,7 @@ in
     resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
 
     testPushCmd = (pkgs.writeShellScriptBin "test-push" ''
+      ${lib.getExe' pkgs.coreutils "echo"} "Pushing ${testHost} to ${testTarget}"
       ${lib.getExe' pkgs.coreutils "mkdir"} -p /var/tmp/nix-build
       ${lib.getExe' pkgs.coreutils "chmod"} 1777 /var/tmp/nix-build
       ${lib.getExe pkgs.nixos-rebuild} switch \

modules/hosts/soteria/soteria.nix

@@ -1,4 +1,4 @@
-{ inputs, lib, ... }:
+{ self, inputs, lib, ... }:
 let
   username = "john";
   hostname = "soteria";
@@ -11,11 +11,26 @@ in
       nixos.mysops
       nixos.step-ssh-host
       nixos.login-text
-      # nixos.mtls
+      nixos.docker
+      nixos.mtls
+      nixos.janus-ca
       # nixos.restic-server
       # nixos.restic-envoy
-      {
+      ({ pkgs, ... }: {
         networking.hostName = hostname;
+        mtls = {
+          enable = true;
+          subject = hostname;
+          san = [
+            "${hostname}.john-stream.com"
+            "192.168.1.142"
+          ];
+          lifetime = "1h";
+          renew.onCalendar = "*:3/15";
+          renew.postCommands = [
+            "${lib.getExe pkgs.docker} restart envoy"
+          ];
+        };
 
         # Removes password for sudo
         security.sudo-rs.extraRules = lib.mkAfter [
@@ -39,12 +54,13 @@ in
         # This provides the secrets at install time
         sops.defaultSopsFile = ./secrets.yaml;
 
+        programs.zsh.enable = true;
         home-manager.users."${username}" = {
           imports = with inputs.self.modules; [
             homeManager."${hostname}"
           ];
         };
-      }
+      })
     ];
   };
 
@@ -52,9 +68,6 @@ in
     imports = with inputs.self.modules; [
       homeManager.rebuild
       homeManager.mysops
-      homeManager.janus-ca
-      homeManager.mtls
-      homeManager.docker
     ];
 
     homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
@@ -63,20 +76,6 @@ in
 
     # This will provide the edit-secrets script targeting this file
     mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml";
-
-    mtls = {
-      enable = true;
-      subject = hostname;
-      san = [
-        "${hostname}.john-stream.com"
-        "192.168.1.142"
-      ];
-      lifetime = "1h";
-      renew.onCalendar = "*:3/15";
-      renew.postCommands = [
-        "${lib.getExe pkgs.docker} restart envoy"
-      ];
-    };
   };
 
   flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {