started mtls stuff

modules/hosts/john-pc-ubuntu.nix

@@ -8,6 +8,11 @@ in
   flake.modules.homeManager."${hostname}" = { pkgs, config, ... }:
   let
     flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
+    certDir = "${config.home.homeDirectory}/.step/certs";
+    CACert = "${certDir}/root_ca.crt";
+    tlsKey = "${certDir}/key.pem";
+    tlsCert = "${certDir}/cert.pem";
+    mtlsCert = "${certDir}/mtls.pem";
   in
   {
     imports = with inputs.self.modules.homeManager; [
@@ -31,6 +36,20 @@ in
       (writeShellScriptBin "test-push" ''
         nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@${testTarget}
       '')
+      (writeShellScriptBin "mtls-generate" ''
+        ${lib.getExe pkgs.step-cli} ca certificate \
+          john-pc-ubuntu ${tlsCert} ${tlsKey} \
+          --provisioner admin \
+          --san 192.168.1.85 \
+          --san spiffe://john-stream.com/ubuntu
+        cat ${tlsCert} ${tlsKey} > ${mtlsCert}
+      '')
+      (writeShellScriptBin "mtls-check" ''
+        ${lib.getExe pkgs.openssl} x509 \
+        -noout -subject -issuer \
+        -ext subjectAltName,extendedKeyUsage \
+        -enddate -in ${mtlsCert}
+      '')
     ];
     # TODO: Add host-specific settings here:
     # - sops secret for `restic_password/john_ubuntu`
@@ -67,8 +86,8 @@ in
         default = {
           "inherit" = "base";
           repository = "rest:https://soteria.john-stream.com/john-ubuntu";
-          # cacert = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
+          cacert = "${CACert}";
-          # tls-client-cert = "${config.home.homeDirectory}/.step/certs/mtls.pem";
+          tls-client-cert = "${mtlsCert}";
           backup = {
             source = [
               "${config.xdg.userDirs.documents}"