From a8a9a73e082d9264a3b1897a79b5355f4276104d Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sun, 15 Mar 2026 20:52:34 -0500
Subject: [PATCH] working mtls for janus system

---
 modules/hosts/janus.nix           |  5 +++++
 modules/services/step-ca/mtls.nix | 26 +++++++++++++++++++-------
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/modules/hosts/janus.nix b/modules/hosts/janus.nix
index f914aee..73a5ee1 100644
--- a/modules/hosts/janus.nix
+++ b/modules/hosts/janus.nix
@@ -21,6 +21,11 @@ in
           hostname = hostname;
           caURL = "https://janus.john-stream.com/";
         };
+        mtls = {
+          enable = true;
+          subject = hostname;
+          caURL = "https://janus.john-stream.com/";
+        };
 
         home-manager.users."${username}" = {
           imports = with inputs.self.modules.homeManager; [
diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix
index fa6c54e..f44c7ea 100644
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -2,18 +2,27 @@
 {
   flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
   let
-    certDir = config.mtls.certDir;
-    tlsKey = "${certDir}/${config.mtls.keyFilename}";
-    tlsCert = "${certDir}/${config.mtls.certFilename}";
-    mtlsBundle = "${certDir}/${config.mtls.bundleFilename}";
+    cfg = config.mtls;
+    certDir = cfg.certDir;
+    tlsKey = "${certDir}/${cfg.keyFilename}";
+    tlsCert = "${certDir}/${cfg.certFilename}";
+    mtlsBundle = "${certDir}/${cfg.bundleFilename}";
   in
   {
     options.mtls = {
       enable = lib.mkEnableOption "Enable mTLS";
+      caURL = lib.mkOption {
+        description = "URL to the certificate authority";
+        type = lib.types.str;
+      };
+      subject = lib.mkOption {
+        description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
+        type = lib.types.str;
+      };
       certDir = lib.mkOption {
         description = "String path to where the mtls certs will be stored.";
         type = lib.types.str;
-        default = "/var/lib/tls";
+        default = "/etc/step";
       };
       keyFilename = lib.mkOption {
         description = "String filename for the private key";
@@ -33,10 +42,13 @@
     };
 
     config = {
-      environment.systemPackages = with pkgs; [
+      environment.systemPackages = with pkgs; lib.optionals cfg.enable [
         (writeShellScriptBin "mtls-generate" ''
+          set -euo pipefail
           ${lib.getExe pkgs.step-cli} ca certificate \
-            john-pc-ubuntu ${tlsCert} ${tlsKey} \
+            ${cfg.subject} ${tlsCert} ${tlsKey} \
+            --ca-url ${cfg.caURL} \
+            --root ${cfg.certDir}/certs/root_ca.crt \
             --provisioner admin \
             --san 192.168.1.85 \
             --san spiffe://john-stream.com/ubuntu