started mtls stuff

2026-03-15 18:15:45 -05:00
parent f5ae40c3e7
commit e83f6939e8
1 changed files with 21 additions and 2 deletions
--- a/modules/hosts/john-pc-ubuntu.nix
+++ b/modules/hosts/john-pc-ubuntu.nix
@@ -8,6 +8,11 @@ in
  flake.modules.homeManager."${hostname}" = { pkgs, config, ... }:
  let
    flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
+    certDir = "${config.home.homeDirectory}/.step/certs";
+    CACert = "${certDir}/root_ca.crt";
+    tlsKey = "${certDir}/key.pem";
+    tlsCert = "${certDir}/cert.pem";
+    mtlsCert = "${certDir}/mtls.pem";
  in
  {
    imports = with inputs.self.modules.homeManager; [
@@ -31,6 +36,20 @@ in
      (writeShellScriptBin "test-push" ''
        nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@${testTarget}
      '')
+      (writeShellScriptBin "mtls-generate" ''
+        ${lib.getExe pkgs.step-cli} ca certificate \
+          john-pc-ubuntu ${tlsCert} ${tlsKey} \
+          --provisioner admin \
+          --san 192.168.1.85 \
+          --san spiffe://john-stream.com/ubuntu
+        cat ${tlsCert} ${tlsKey} > ${mtlsCert}
+      '')
+      (writeShellScriptBin "mtls-check" ''
+        ${lib.getExe pkgs.openssl} x509 \
+        -noout -subject -issuer \
+        -ext subjectAltName,extendedKeyUsage \
+        -enddate -in ${mtlsCert}
+      '')
    ];
    # TODO: Add host-specific settings here:
    # - sops secret for `restic_password/john_ubuntu`
@@ -67,8 +86,8 @@ in
        default = {
          "inherit" = "base";
          repository = "rest:https://soteria.john-stream.com/john-ubuntu";
-          # cacert = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
-          # tls-client-cert = "${config.home.homeDirectory}/.step/certs/mtls.pem";
+          cacert = "${CACert}";
+          tls-client-cert = "${mtlsCert}";
          backup = {
            source = [
              "${config.xdg.userDirs.documents}"