From e83f6939e8e1efe399eaf105a9328525746dcd21 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Sun, 15 Mar 2026 18:15:45 -0500 Subject: [PATCH] started mtls stuff --- modules/hosts/john-pc-ubuntu.nix | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/modules/hosts/john-pc-ubuntu.nix b/modules/hosts/john-pc-ubuntu.nix index 2cbf81c..27cf73a 100644 --- a/modules/hosts/john-pc-ubuntu.nix +++ b/modules/hosts/john-pc-ubuntu.nix @@ -8,6 +8,11 @@ in flake.modules.homeManager."${hostname}" = { pkgs, config, ... }: let flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic"; + certDir = "${config.home.homeDirectory}/.step/certs"; + CACert = "${certDir}/root_ca.crt"; + tlsKey = "${certDir}/key.pem"; + tlsCert = "${certDir}/cert.pem"; + mtlsCert = "${certDir}/mtls.pem"; in { imports = with inputs.self.modules.homeManager; [ @@ -31,6 +36,20 @@ in (writeShellScriptBin "test-push" '' nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@${testTarget} '') + (writeShellScriptBin "mtls-generate" '' + ${lib.getExe pkgs.step-cli} ca certificate \ + john-pc-ubuntu ${tlsCert} ${tlsKey} \ + --provisioner admin \ + --san 192.168.1.85 \ + --san spiffe://john-stream.com/ubuntu + cat ${tlsCert} ${tlsKey} > ${mtlsCert} + '') + (writeShellScriptBin "mtls-check" '' + ${lib.getExe pkgs.openssl} x509 \ + -noout -subject -issuer \ + -ext subjectAltName,extendedKeyUsage \ + -enddate -in ${mtlsCert} + '') ]; # TODO: Add host-specific settings here: # - sops secret for `restic_password/john_ubuntu` @@ -67,8 +86,8 @@ in default = { "inherit" = "base"; repository = "rest:https://soteria.john-stream.com/john-ubuntu"; - # cacert = "${config.home.homeDirectory}/.step/certs/root_ca.crt"; - # tls-client-cert = "${config.home.homeDirectory}/.step/certs/mtls.pem"; + cacert = "${CACert}"; + tls-client-cert = "${mtlsCert}"; backup = { source = [ "${config.xdg.userDirs.documents}"