diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix index f55c1d5..7ae9fde 100644 --- a/modules/services/step-ca/mtls.nix +++ b/modules/services/step-ca/mtls.nix @@ -218,94 +218,94 @@ let in { flake.modules.nixos.mtls = { config, lib, pkgs, ... }: - let - cfg = config.mtls; - certDir = "/etc/step/certs"; - tlsKey = "${certDir}/${cfg.keyFilename}"; - tlsCert = "${certDir}/${cfg.certFilename}"; - mtlsBundle = "${certDir}/${cfg.bundleFilename}"; - rootCA = "${certDir}/root_ca.crt"; - sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; - in - { - options.mtls = opts; - config = lib.mkIf cfg.enable { - environment.systemPackages = with pkgs; lib.optionals cfg.enable [ - (writeShellScriptBin "mtls-generate" '' - set -euo pipefail - ${lib.getExe pkgs.step-cli} ca certificate \ - ${cfg.subject} ${tlsCert} ${tlsKey} \ - --ca-url ${cfg.caURL} \ - --root ${rootCA} \ - --provisioner ${cfg.provisioner} \ - ${sanArgs} - cat ${tlsCert} ${tlsKey} > ${mtlsBundle} - '') - (writeShellScriptBin "mtls-check" '' - ${lib.getExe pkgs.openssl} x509 \ - -noout -subject -issuer \ - -ext subjectAltName,extendedKeyUsage \ - -enddate -in ${mtlsBundle} - '') - ]; + let + cfg = config.mtls; + certDir = "/etc/step/certs"; + tlsKey = "${certDir}/${cfg.keyFilename}"; + tlsCert = "${certDir}/${cfg.certFilename}"; + mtlsBundle = "${certDir}/${cfg.bundleFilename}"; + rootCA = "${certDir}/root_ca.crt"; + sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; + in + { + options.mtls = opts; + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; lib.optionals cfg.enable [ + (writeShellScriptBin "mtls-generate" '' + set -euo pipefail + ${lib.getExe pkgs.step-cli} ca certificate \ + ${cfg.subject} ${tlsCert} ${tlsKey} \ + --ca-url ${cfg.caURL} \ + --root ${rootCA} \ + --provisioner ${cfg.provisioner} \ + ${sanArgs} + cat ${tlsCert} ${tlsKey} > ${mtlsBundle} + '') + (writeShellScriptBin "mtls-check" '' + ${lib.getExe pkgs.openssl} x509 \ + -noout -subject -issuer \ + -ext subjectAltName,extendedKeyUsage \ + -enddate -in ${mtlsBundle} + '') + ]; - systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService { - inherit pkgs tlsCert tlsKey mtlsBundle; - inherit (cfg.renew) reloadUnits postCommands user group; - }); + systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService { + inherit pkgs tlsCert tlsKey mtlsBundle; + inherit (cfg.renew) reloadUnits postCommands user group; + }); - systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer { - inherit (cfg.renew) onCalendar randomizedDelaySec; - }); - }; - }; - - flake.modules.homeManager.mtls = { config, lib, pkgs, ... }: - let - cfg = config.mtls; - certDir = cfg.certDir; - tlsKey = "${certDir}/${cfg.keyFilename}"; - tlsCert = "${certDir}/${cfg.certFilename}"; - mtlsBundle = "${certDir}/${cfg.bundleFilename}"; - rootCA = "${certDir}/root_ca.crt"; - sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; - in - { - options.mtls = opts // { - certDir = lib.mkOption { - description = "String path to where the mtls certs will be stored."; - type = lib.types.str; - default ="${config.home.homeDirectory}/.step/certs"; + systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer { + inherit (cfg.renew) onCalendar randomizedDelaySec; + }); }; }; - config = { - home.packages = with pkgs; lib.optionals cfg.enable [ - step-cli - (writeShellScriptBin "mtls-generate" '' - set -euo pipefail - ${lib.getExe pkgs.step-cli} ca certificate \ - john-pc-ubuntu ${tlsCert} ${tlsKey} \ - --provisioner ${cfg.provisioner} \ - ${sanArgs} - cat ${tlsCert} ${tlsKey} > ${mtlsBundle} - '') - (writeShellScriptBin "mtls-check" '' - ${lib.getExe pkgs.openssl} x509 \ - -noout -subject -issuer \ - -ext subjectAltName,extendedKeyUsage \ - -enddate -in ${mtlsBundle} - '') - ]; + flake.modules.homeManager.mtls = { config, lib, pkgs, ... }: + let + cfg = config.mtls; + certDir = cfg.certDir; + tlsKey = "${certDir}/${cfg.keyFilename}"; + tlsCert = "${certDir}/${cfg.certFilename}"; + mtlsBundle = "${certDir}/${cfg.bundleFilename}"; + rootCA = "${certDir}/root_ca.crt"; + sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; + in + { + options.mtls = opts // { + certDir = lib.mkOption { + description = "String path to where the mtls certs will be stored."; + type = lib.types.str; + default ="${config.home.homeDirectory}/.step/certs"; + }; + }; - systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService { - inherit pkgs tlsCert tlsKey mtlsBundle; - inherit (cfg.renew) reloadUnits postCommands; - }); + config = { + home.packages = with pkgs; lib.optionals cfg.enable [ + step-cli + (writeShellScriptBin "mtls-generate" '' + set -euo pipefail + ${lib.getExe pkgs.step-cli} ca certificate \ + john-pc-ubuntu ${tlsCert} ${tlsKey} \ + --provisioner ${cfg.provisioner} \ + ${sanArgs} + cat ${tlsCert} ${tlsKey} > ${mtlsBundle} + '') + (writeShellScriptBin "mtls-check" '' + ${lib.getExe pkgs.openssl} x509 \ + -noout -subject -issuer \ + -ext subjectAltName,extendedKeyUsage \ + -enddate -in ${mtlsBundle} + '') + ]; - systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer { - inherit (cfg.renew) onCalendar randomizedDelaySec; - }); + systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService { + inherit pkgs tlsCert tlsKey mtlsBundle; + inherit (cfg.renew) reloadUnits postCommands; + }); + + systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer { + inherit (cfg.renew) onCalendar randomizedDelaySec; + }); + }; }; - }; } \ No newline at end of file