From ba72aec338a1aa40701052a7b39fe256ce11681a Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sun, 15 Mar 2026 21:02:09 -0500
Subject: [PATCH] SAN args

---
 modules/hosts/janus.nix           |  9 +++++++--
 modules/services/step-ca/mtls.nix | 12 +++++++++---
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/modules/hosts/janus.nix b/modules/hosts/janus.nix
index 73a5ee1..5966e00 100644
--- a/modules/hosts/janus.nix
+++ b/modules/hosts/janus.nix
@@ -2,6 +2,7 @@
 let
   username = "john";
   hostname = "janus";
+  caURL = "https://janus.john-stream.com/";
 in
 {
   flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
@@ -19,12 +20,16 @@ in
         networking.hostName = hostname;
         step-ssh-host = {
           hostname = hostname;
-          caURL = "https://janus.john-stream.com/";
+          caURL = caURL;
         };
         mtls = {
           enable = true;
           subject = hostname;
-          caURL = "https://janus.john-stream.com/";
+          caURL = caURL;
+          san = [
+            "${hostname}.john-stream.com"
+            "192.168.1.244"
+          ];
         };
 
         home-manager.users."${username}" = {
diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix
index f44c7ea..7345e23 100644
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -7,6 +7,8 @@
     tlsKey = "${certDir}/${cfg.keyFilename}";
     tlsCert = "${certDir}/${cfg.certFilename}";
     mtlsBundle = "${certDir}/${cfg.bundleFilename}";
+    rootCA = "${cfg.certDir}/certs/root_ca.crt";
+    sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
   in
   {
     options.mtls = {
@@ -39,6 +41,11 @@
         type = lib.types.str;
         default = "mtls.pem";
       };
+      san = lib.mkOption {
+        description = "List of SAN to give the mTLS cert";
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+      };
     };
 
     config = {
@@ -48,10 +55,9 @@
           ${lib.getExe pkgs.step-cli} ca certificate \
             ${cfg.subject} ${tlsCert} ${tlsKey} \
             --ca-url ${cfg.caURL} \
-            --root ${cfg.certDir}/certs/root_ca.crt \
+            --root ${rootCA} \
             --provisioner admin \
-            --san 192.168.1.85 \
-            --san spiffe://john-stream.com/ubuntu
+            ${sanArgs}
           cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
         '')
         (writeShellScriptBin "mtls-check" ''