mTLS generate script improvements

2026-04-04 11:09:25 -05:00
parent 13a841c8db
commit b8b8a445f9
1 changed files with 4 additions and 4 deletions
@@ -68,7 +68,7 @@ let
      group = lib.mkOption {
        description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
        type = lib.types.nullOr lib.types.str;
-        default = cfg.renew.user;
+        default = "mtls";
      };
      reloadUnits = lib.mkOption {
        description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
@@ -97,7 +97,6 @@ let
  }:
  let
    catCmd = lib.getExe' pkgs.coreutils "cat";
-    echoCmd = lib.getExe' pkgs.coreutils "echo";
    chownCmd = lib.getExe' pkgs.coreutils "chown";
    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
    stepCmd = lib.getExe pkgs.step-cli;
@@ -114,6 +113,7 @@ let
      (umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
      ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
      ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
+      printf '\033[32m✔\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
    '';
  
  mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
@@ -281,7 +281,7 @@ in

      config = lib.mkIf cfg.enable {
        users.groups.certReaders = {
-          name = "mtls";
+          name = cfg.renew.group;
          members = cfg.certReaders;
        };

@@ -297,7 +297,7 @@ in
        ];

        systemd.tmpfiles.rules = [
-          "d ${cfg.certDir} 0750 ${cfg.renew.user} mtls -"
+          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
        ];

        systemd.services.mtls-renew = lib.mkIf cfg.renew.enable