SAN args

2026-03-15 21:02:09 -05:00
parent a8a9a73e08
commit ba72aec338
2 changed files with 16 additions and 5 deletions
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -7,6 +7,8 @@
    tlsKey = "${certDir}/${cfg.keyFilename}";
    tlsCert = "${certDir}/${cfg.certFilename}";
    mtlsBundle = "${certDir}/${cfg.bundleFilename}";
+    rootCA = "${cfg.certDir}/certs/root_ca.crt";
+    sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
  in
  {
    options.mtls = {
@@ -39,6 +41,11 @@
        type = lib.types.str;
        default = "mtls.pem";
      };
+      san = lib.mkOption {
+        description = "List of SAN to give the mTLS cert";
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+      };
    };

    config = {
@@ -48,10 +55,9 @@
          ${lib.getExe pkgs.step-cli} ca certificate \
            ${cfg.subject} ${tlsCert} ${tlsKey} \
            --ca-url ${cfg.caURL} \
-            --root ${cfg.certDir}/certs/root_ca.crt \
+            --root ${rootCA} \
            --provisioner admin \
-            --san 192.168.1.85 \
-            --san spiffe://john-stream.com/ubuntu
+            ${sanArgs}
          cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
        '')
        (writeShellScriptBin "mtls-check" ''