mtls home manager module

2026-03-15 21:27:44 -05:00
parent 67688c2aa6
commit e72b27e59d
2 changed files with 117 additions and 83 deletions
--- a/modules/hosts/john-pc-ubuntu.nix
+++ b/modules/hosts/john-pc-ubuntu.nix
@@ -23,6 +23,7 @@ in
      docker
      desktop
      step-ssh-user
+      mtls
    ];
    targets.genericLinux.enable = true;

@@ -36,21 +37,20 @@ in
      (writeShellScriptBin "test-push" ''
        nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@${testTarget}
      '')
-      (writeShellScriptBin "mtls-generate" ''
-        ${lib.getExe pkgs.step-cli} ca certificate \
-          john-pc-ubuntu ${tlsCert} ${tlsKey} \
-          --provisioner admin \
-          --san 192.168.1.85 \
-          --san spiffe://john-stream.com/ubuntu
-        cat ${tlsCert} ${tlsKey} > ${mtlsCert}
-      '')
-      (writeShellScriptBin "mtls-check" ''
-        ${lib.getExe pkgs.openssl} x509 \
-        -noout -subject -issuer \
-        -ext subjectAltName,extendedKeyUsage \
-        -enddate -in ${mtlsCert}
-      '')
    ];
+
+    mtls = {
+      enable = true;
+      subject = hostname;
+      caURL = "https://janus.john-stream.com/";
+      provisioner = "admin";
+      san = [
+        "${hostname}"
+        "192.168.1.85"
+        "spiffe://john-stream.com/ubuntu"
+      ];
+    };
+
    # TODO: Add host-specific settings here:
    # - sops secret for `restic_password/john_ubuntu`
    # - resticprofile profile definition