cleanup

more pruning
pruning
2026-03-25 18:33:54 -05:00 · 2026-03-25 18:17:07 -05:00 · 2026-03-25 18:07:19 -05:00 · 2026-03-25 18:07:08 -05:00 · 2026-03-25 17:55:31 -05:00
8 changed files with 20 additions and 86 deletions
@@ -2,9 +2,17 @@
 let
  username = "john";
  hostname = "janus";
-  caURL = "https://janus.john-stream.com/";
 in
 {
+  flake.modules.homeManager.janus-ca = { config, ... }: {
+    home.file.".step/config/defaults.json".text = builtins.toJSON {
+      "ca-url" = "https://janus.john-stream.com/";
+      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
+      root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
+    };
+    home.file.".step/certs/root_ca.crt".source = ./root_ca.crt;
+  };
+
  flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
    modules = with inputs.self.modules; [
      nixos.lxc
@@ -20,12 +28,10 @@ in
        networking.hostName = hostname;
        step-ssh-host = {
          hostname = hostname;
-          caURL = caURL;
        };
        mtls = {
          enable = true;
          subject = hostname;
-          caURL = caURL;
          san = [
            "${hostname}.john-stream.com"
            "192.168.1.244"
@@ -36,6 +42,7 @@ in
          imports = with inputs.self.modules.homeManager; [
            sops
            step-ssh-user
+            janus-ca
          ];
          
          shell.program = "zsh";
@@ -10,7 +10,6 @@ in
  let
    flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
    certDir = "${config.mtls.certDir}";
-    CACert = "${certDir}/root_ca.crt";
    mtlsBundle = "${certDir}/${config.mtls.bundleFilename}";
    resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
  in
@@ -19,6 +18,7 @@ in
      rebuild
      john
      mysops
+      janus-ca
      step-ssh-user
      mtls
      restic
@@ -91,10 +91,6 @@ in
    mtls = {
      enable = true;
      subject = hostname;
-      ca = {
-        url = "https://janus.john-stream.com/";
-        fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
-      };
      san = [
        "${hostname}"
        "192.168.1.85"
@@ -24,7 +24,6 @@ in
        ];
        step-ssh-host = {
          hostname = hostname;
-          caURL = caURL;
        };

        home-manager.users."${username}" = {
@@ -40,6 +39,7 @@ in
    imports = with inputs.self.modules; [
      homeManager.rebuild
      homeManager.mysops
+      homeManager.janus-ca
      homeManager.mtls
      homeManager.docker
    ];
@@ -56,10 +56,6 @@ in
    mtls = {
      enable = true;
      subject = hostname;
-      ca = {
-        url = "https://janus.john-stream.com/";
-        fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
-      };
      san = [
        "${hostname}.john-stream.com"
        "192.168.1.142"
@@ -1,9 +1,4 @@
-{ inputs, ... }:
-let
-  caURL = "https://janus.john-stream.com/";
-  stepFingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
-in
-{
+{ self, inputs, ... }: {
  #
  # Home Manager Module
  #
@@ -17,42 +12,15 @@ in
  {
    options.step-ssh-user = {
      enable = lib.mkEnableOption "opionated step client config for SSH certs";
-      caURL = lib.mkOption {
-        type = lib.types.str;
-        default = "${caURL}";
-      };
-      fingerprint = lib.mkOption {
-        type = lib.types.str;
-        default = "${stepFingerprint}";
-      };
-      rootCertFile = {
-        path = lib.mkOption {
-          type = lib.types.str;
-          description = "String path to where the root_ca.crt file will be stored for the user";
-          default = ".step/certs/root_ca.crt";
-        };
-        source = lib.mkOption {
-          type = lib.types.path;
-          description = "Nix path to the root cert file within the repo";
-          default = ../../keys/root_ca.crt;
-        };
-      };
      provisioner = lib.mkOption {
        type = lib.types.str;
        default = "admin";
      };
      principals = lib.mkOption {
        type = lib.types.listOf lib.types.str;
-        # default = [ ];
      };
    };
    config = lib.mkIf cfg.enable {
-      home.file."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source;
-      home.file.".step/config/defaults.json".text = builtins.toJSON {
-        "ca-url" = cfg.caURL;
-        fingerprint = cfg.fingerprint;
-        root = "${config.home.homeDirectory}/${cfg.rootCertFile.path}";
-      };
      sops.secrets."janus/admin_jwk".mode = "0400";
      home.packages = with pkgs; [
        (writeShellScriptBin "sign-ssh-cert" ''
@@ -3,14 +3,6 @@ let
  # Options that will be in common between
  opts = {
    enable = lib.mkEnableOption "Enable mTLS";
-    ca = {
-      url = lib.mkOption {
-        type = lib.types.str;
-      };
-      fingerprint = lib.mkOption {
-        type = lib.types.str;
-      };
-    };
    subject = lib.mkOption {
      description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
      type = lib.types.str;
@@ -92,9 +84,12 @@ let
    systemctlArgs ? [ ],
  }:
  let
+    systemctl = lib.getExe' pkgs.systemd "systemctl";
+    escapedArgs = lib.escapeShellArgs systemctlArgs;
+    systemctlCommand = "${systemctl} ${escapedArgs}";
    renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
-      if ${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} --quiet is-active "${unit}"; then
-        ${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} try-reload-or-restart "${unit}"
+      if ${systemctlCommand} --quiet is-active "${unit}"; then
+        ${systemctlCommand} try-reload-or-restart "${unit}"
      fi
    '') reloadUnits;
    renewPostCommands = lib.concatStringsSep "\n" postCommands;
@@ -221,7 +216,6 @@ in
      tlsKey = "${certDir}/${cfg.keyFilename}";
      tlsCert = "${certDir}/${cfg.certFilename}";
      mtlsBundle = "${certDir}/${cfg.bundleFilename}";
-      rootCA = "${certDir}/root_ca.crt";
      sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
    in
    {
@@ -264,7 +258,6 @@ in
      tlsKey = "${certDir}/${cfg.keyFilename}";
      tlsCert = "${certDir}/${cfg.certFilename}";
      mtlsBundle = "${certDir}/${cfg.bundleFilename}";
-      rootCA = "${certDir}/root_ca.crt";
      sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
    in
    {
@@ -277,12 +270,6 @@ in
      };

      config = {
-        home.file.".step/config/defaults.json".text = builtins.toJSON {
-          "ca-url" = cfg.ca.url;
-          fingerprint = cfg.ca.fingerprint;
-          root = "${cfg.certDir}/root_ca.crt";
-        };
-
        home.packages = with pkgs; lib.optionals cfg.enable [
          step-cli
          (writeShellScriptBin "mtls-generate" ''
@@ -2,7 +2,6 @@
  flake.modules.nixos.step-ssh-host = { config, pkgs, lib, ... }:
  let
    cfg = config.step-ssh-host;
-    rootCertPath = "/etc/step/certs/root_ca.crt";
    provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
    sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
    sshCertPath = "${sshKeyPath}-cert.pub";
@@ -11,25 +10,9 @@
    # NixOS Options
    options.step-ssh-host = {
      hostname = lib.mkOption {
-        description = "Networking host name";
+        description = "Networking host name to register with the CA";
        type = lib.types.str;
      };
-      caURL = lib.mkOption {
-        description = "URL for the certificate authority";
-        type = lib.types.str;
-      };
-      rootCertFile = {
-        path = lib.mkOption {
-          description = "String path to where the root_ca.crt file will be stored for the user";
-          type = lib.types.str;
-          default = "step/certs/root_ca.crt";
-        };
-        source = lib.mkOption {
-          description = "Nix path to the root cert file within the repo";
-          type = lib.types.path;
-          default = ../../../keys/root_ca.crt;
-        };
-      };
      provisioner = lib.mkOption {
        description = "Provisioner inside Step CA to use for the SSH certificates";
        type = lib.types.str;
@@ -38,6 +21,7 @@
    };

    imports = with inputs.self.modules.nixos; [ ssh ];
+
    # NixOS Config
    config = {
      ssh.certificates.enable = true;
@@ -48,15 +32,11 @@
      };
      networking.nameservers = [ "192.168.1.150" ];
      networking.dhcpcd.extraConfig = "nohook resolv.conf";
-
-      environment.etc."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source;
      environment.systemPackages = with pkgs; [
        step-cli
        (writeShellScriptBin "ssh-host-cert-renew" ''
          ${lib.getExe pkgs.step-cli} ssh certificate \
          --host --sign \
-          --root "${rootCertPath}" \
-          --ca-url ${cfg.caURL} \
          --provisioner "${cfg.provisioner}" \
          --provisioner-password-file "${provisionerPasswordPath}" \
          --principal "${cfg.hostname}" \
Author	SHA1	Message	Date
John Lancaster	3da3cc2dc6	cleanup	2026-03-25 18:33:54 -05:00
John Lancaster	18b6cc16ad	more pruning	2026-03-25 18:17:07 -05:00
John Lancaster	d8ced840ca	pruning	2026-03-25 18:07:19 -05:00
John Lancaster	2fad88f8a0	added root_ca content	2026-03-25 18:07:08 -05:00
John Lancaster	7b0f419454	WIP CA bootstrap rework	2026-03-25 17:55:31 -05:00