john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SAN args

Browse Source
This commit is contained in:
John Lancaster
2026-03-15 21:02:09 -05:00
parent a8a9a73e08
commit ba72aec338
2 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
modules/hosts/janus.nix
View File

@@ -2,6 +2,7 @@
let let
username = "john"; username = "john";
hostname = "janus"; hostname = "janus";
caURL = "https://janus.john-stream.com/";
in in
{ {
flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem { flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
@@ -19,12 +20,16 @@ in
networking.hostName = hostname; networking.hostName = hostname;
step-ssh-host = { step-ssh-host = {
hostname = hostname; hostname = hostname;
caURL = "https://janus.john-stream.com/"; caURL = caURL;
}; };
mtls = { mtls = {
enable = true; enable = true;
subject = hostname; subject = hostname;
caURL = "https://janus.john-stream.com/"; caURL = caURL;
san = [
"${hostname}.john-stream.com"
"192.168.1.244"
];
}; };
home-manager.users."${username}" = { home-manager.users."${username}" = {

12
modules/services/step-ca/mtls.nix
View File

@@ -7,6 +7,8 @@
tlsKey = "${certDir}/${cfg.keyFilename}"; tlsKey = "${certDir}/${cfg.keyFilename}";
tlsCert = "${certDir}/${cfg.certFilename}"; tlsCert = "${certDir}/${cfg.certFilename}";
mtlsBundle = "${certDir}/${cfg.bundleFilename}"; mtlsBundle = "${certDir}/${cfg.bundleFilename}";
rootCA = "${cfg.certDir}/certs/root_ca.crt";
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
in in
{ {
options.mtls = { options.mtls = {
@@ -39,6 +41,11 @@
type = lib.types.str; type = lib.types.str;
default = "mtls.pem"; default = "mtls.pem";
}; };
san = lib.mkOption {
description = "List of SAN to give the mTLS cert";
type = lib.types.listOf lib.types.str;
default = [ ];
};
}; };
config = { config = {
@@ -48,10 +55,9 @@
${lib.getExe pkgs.step-cli} ca certificate \ ${lib.getExe pkgs.step-cli} ca certificate \
${cfg.subject} ${tlsCert} ${tlsKey} \ ${cfg.subject} ${tlsCert} ${tlsKey} \
--ca-url ${cfg.caURL} \ --ca-url ${cfg.caURL} \
--root ${cfg.certDir}/certs/root_ca.crt \ --root ${rootCA} \
--provisioner admin \ --provisioner admin \
--san 192.168.1.85 \ ${sanArgs}
--san spiffe://john-stream.com/ubuntu
cat ${tlsCert} ${tlsKey} > ${mtlsBundle} cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
'') '')
(writeShellScriptBin "mtls-check" '' (writeShellScriptBin "mtls-check" ''