From fac9c7f5ceba85d5cd678675151c4b56323a2743 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:45:09 -0500 Subject: [PATCH] mtls param renames --- modules/features/mtls.nix | 72 ++++++++++++++++++------------------- modules/features/restic.nix | 24 ++++++------- 2 files changed, 47 insertions(+), 49 deletions(-) diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix index 900b821..7eb2437 100644 --- a/modules/features/mtls.nix +++ b/modules/features/mtls.nix @@ -88,9 +88,9 @@ let subject, provisioner, san, - tlsCert, - tlsKey, - mtlsBundle, + certFile, + keyFile, + bundleFile, lifetime, }: let @@ -100,26 +100,26 @@ let pkgs.writeShellScriptBin "mtls-generate" '' set -euo pipefail ${stepCmd} ca certificate \ - ${subject} ${tlsCert} ${tlsKey} \ + ${subject} ${certFile} ${keyFile} \ --not-before=-5m --not-after=${lifetime} \ --provisioner ${provisioner} \ ${sanArgs} \ "$@" - cat ${tlsCert} ${tlsKey} > ${mtlsBundle} + cat ${certFile} ${keyFile} > ${bundleFile} ''; - mkMtlsCheckScript = { pkgs, mtlsBundle }: pkgs.writeShellScriptBin "mtls-check" '' + mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" '' ${lib.getExe pkgs.openssl} x509 \ -noout -subject -issuer \ -ext subjectAltName,extendedKeyUsage \ - -enddate -in ${mtlsBundle} + -enddate -in ${bundleFile} ''; mkMtlsRenewScript = { pkgs, - tlsCert, - tlsKey, - mtlsBundle, + certFile, + keyFile, + bundleFile, reloadUnits ? [ ], postCommands ? [ ], systemctlArgs ? [ ], @@ -139,17 +139,17 @@ let pkgs.writeShellScriptBin "mtls-renew" '' set -euo pipefail - if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then + if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${certFile}"; then ${echoCmd} "Renewing mTLS certificate" else ${echoCmd} "Skipping renew" exit "$?" fi - ${lib.getExe pkgs.step-cli} ca renew --force "${tlsCert}" "${tlsKey}" + ${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}" umask 077 - ${lib.getExe' pkgs.coreutils "cat"} "${tlsCert}" "${tlsKey}" > "${mtlsBundle}" + ${lib.getExe' pkgs.coreutils "cat"} "${certFile}" "${keyFile}" > "${bundleFile}" ${echoCmd} "Reloading units:" ${renewReloadScript} @@ -160,9 +160,9 @@ let mkNixosMtlsRenewService = { pkgs, - tlsCert, - tlsKey, - mtlsBundle, + certFile, + keyFile, + bundleFile, reloadUnits ? [ ], postCommands ? [ ], user ? "root", @@ -171,7 +171,7 @@ let let serviceGroup = if group == null then user else group; renewScript = mkMtlsRenewScript { - inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands; + inherit pkgs certFile keyFile bundleFile reloadUnits postCommands; }; in { @@ -205,15 +205,15 @@ let mkHomeManagerMtlsRenewService = { pkgs, - tlsCert, - tlsKey, - mtlsBundle, + certFile, + keyFile, + bundleFile, reloadUnits ? [ ], postCommands ? [ ], }: let renewScript = mkMtlsRenewScript { - inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands; + inherit pkgs certFile keyFile bundleFile reloadUnits postCommands; systemctlArgs = [ "--user" ]; }; in @@ -254,9 +254,6 @@ in flake.modules.nixos.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; - tlsKey = cfg.keyFile; - tlsCert = cfg.certFile; - mtlsBundle = cfg.bundleFile; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; in { @@ -264,7 +261,7 @@ in certDir = lib.mkOption { description = "String path to where the mtls certs will be stored."; type = lib.types.str; - default = "/etc/step/certs"; + default = "/etc/step-ca/certs"; }; }; @@ -272,11 +269,11 @@ in environment.systemPackages = with pkgs; lib.optionals cfg.enable [ # step-cli (mkMtlsGenerateScript { - inherit (cfg) subject provisioner san lifetime; - inherit pkgs tlsCert tlsKey mtlsBundle; + inherit pkgs; + inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime; }) - (mkMtlsCheckScript { inherit pkgs mtlsBundle; }) - (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; }) + (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; }) + (mkMtlsRenewScript { inherit pkgs; inherit (cfg) certFile keyFile bundleFile; }) ]; systemd.tmpfiles.rules = [ @@ -284,7 +281,8 @@ in ]; systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService { - inherit pkgs tlsCert tlsKey mtlsBundle; + inherit pkgs; + inherit (cfg) certFile keyFile bundleFile; inherit (cfg.renew) reloadUnits postCommands user group; }); @@ -297,9 +295,9 @@ in flake.modules.homeManager.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; - tlsKey = cfg.keyFile; - tlsCert = cfg.certFile; - mtlsBundle = cfg.bundleFile; + keyFile = cfg.keyFile; + certFile = cfg.certFile; + bundleFile = cfg.bundleFile; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; in { @@ -316,10 +314,10 @@ in # step-cli (mkMtlsGenerateScript { inherit (cfg) subject provisioner san lifetime; - inherit pkgs tlsCert tlsKey mtlsBundle; + inherit pkgs certFile keyFile bundleFile; }) - (mkMtlsCheckScript { inherit pkgs mtlsBundle; }) - (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; }) + (mkMtlsCheckScript { inherit pkgs bundleFile; }) + (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; }) ]; systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [ @@ -327,7 +325,7 @@ in ]; systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService { - inherit pkgs tlsCert tlsKey mtlsBundle; + inherit pkgs certFile keyFile bundleFile; inherit (cfg.renew) reloadUnits postCommands; }); diff --git a/modules/features/restic.nix b/modules/features/restic.nix index 79dce7a..8695b29 100644 --- a/modules/features/restic.nix +++ b/modules/features/restic.nix @@ -19,6 +19,11 @@ type = lib.types.str; default = "john-ubuntu"; }; + repoUrl = lib.mkOption { + description = "URL to the REST endpoint"; + type = lib.types.str; + default = "rest:https://soteria.john-stream.com/${cfg.repoName}"; + }; passwordFile = lib.mkOption { description = "String path to the restic password file"; type = lib.types.str; @@ -44,29 +49,24 @@ }; }; - config = let - resticRepository = "rest:https://soteria.john-stream.com/${cfg.repoName}"; - caCert = "${config.mtls.certDir}/root_ca.crt"; - mtlsBundle = "${config.mtls.certDir}/${config.mtls.bundleFilename}"; - in - { + config = { home.sessionVariables = { - RESTIC_REPOSITORY = resticRepository; + RESTIC_REPOSITORY = cfg.repoUrl; RESTIC_PASSWORD_FILE = cfg.passwordFile; - RESTIC_CACERT = caCert; - RESTIC_TLS_CLIENT_CERT = mtlsBundle; + RESTIC_CACERT = config.mtls.caFile; + RESTIC_TLS_CLIENT_CERT = config.mtls.bundleFile; }; # This is necessary because the restic service in home manager doesn't otherwise expose these options. systemd.user.services."restic-backups-${cfg.repoName}".Service.Environment = [ - "RESTIC_CACERT=${caCert}" - "RESTIC_TLS_CLIENT_CERT=${mtlsBundle}" + "RESTIC_CACERT=${config.mtls.caFile}" + "RESTIC_TLS_CLIENT_CERT=${config.mtls.bundleFile}" ]; services.restic = { enable = true; backups.${cfg.repoName} = { - repository = resticRepository; + repository = cfg.repoUrl; passwordFile = cfg.passwordFile; paths = cfg.paths; timerConfig = {