john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mTLS generate script improvements

Browse Source
This commit is contained in:
John Lancaster
2026-04-04 11:09:25 -05:00
parent 13a841c8db
commit b8b8a445f9
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/features/mtls.nix
+4 -4
View File
@@ -68,7 +68,7 @@ let
group = lib.mkOption {
description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
type = lib.types.nullOr lib.types.str;
default = cfg.renew.user;
default = "mtls";
};
reloadUnits = lib.mkOption {
description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
@@ -97,7 +97,6 @@ let
}:
let
catCmd = lib.getExe' pkgs.coreutils "cat";
echoCmd = lib.getExe' pkgs.coreutils "echo";
chownCmd = lib.getExe' pkgs.coreutils "chown";
chmodCmd = lib.getExe' pkgs.coreutils "chmod";
stepCmd = lib.getExe pkgs.step-cli;
@@ -114,6 +113,7 @@ let
(umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
printf '\033[32m\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
'';
mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
@@ -281,7 +281,7 @@ in
config = lib.mkIf cfg.enable {
users.groups.certReaders = {
name = "mtls";
name = cfg.renew.group;
members = cfg.certReaders;
};
@@ -297,7 +297,7 @@ in
];
systemd.tmpfiles.rules = [
"d ${cfg.certDir} 0750 ${cfg.renew.user} mtls -"
"d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
];
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable