SAN args

modules/hosts/janus.nix

@@ -2,6 +2,7 @@
 let
   username = "john";
   hostname = "janus";
+  caURL = "https://janus.john-stream.com/";
 in
 {
   flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
@@ -19,12 +20,16 @@ in
         networking.hostName = hostname;
         step-ssh-host = {
           hostname = hostname;
-          caURL = "https://janus.john-stream.com/";
+          caURL = caURL;
         };
         mtls = {
           enable = true;
           subject = hostname;
-          caURL = "https://janus.john-stream.com/";
+          caURL = caURL;
+          san = [
+            "${hostname}.john-stream.com"
+            "192.168.1.244"
+          ];
         };
 
         home-manager.users."${username}" = {

modules/services/step-ca/mtls.nix

@@ -7,6 +7,8 @@
     tlsKey = "${certDir}/${cfg.keyFilename}";
     tlsCert = "${certDir}/${cfg.certFilename}";
     mtlsBundle = "${certDir}/${cfg.bundleFilename}";
+    rootCA = "${cfg.certDir}/certs/root_ca.crt";
+    sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
   in
   {
     options.mtls = {
@@ -39,6 +41,11 @@
         type = lib.types.str;
         default = "mtls.pem";
       };
+      san = lib.mkOption {
+        description = "List of SAN to give the mTLS cert";
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+      };
     };
 
     config = {
@@ -48,10 +55,9 @@
           ${lib.getExe pkgs.step-cli} ca certificate \
             ${cfg.subject} ${tlsCert} ${tlsKey} \
             --ca-url ${cfg.caURL} \
-            --root ${cfg.certDir}/certs/root_ca.crt \
+            --root ${rootCA} \
             --provisioner admin \
-            --san 192.168.1.85 \
-            --san spiffe://john-stream.com/ubuntu
+            ${sanArgs}
           cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
         '')
         (writeShellScriptBin "mtls-check" ''