{ inputs, ... }: { flake.modules.nixos.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; certDir = cfg.certDir; tlsKey = "${certDir}/${cfg.keyFilename}"; tlsCert = "${certDir}/${cfg.certFilename}"; mtlsBundle = "${certDir}/${cfg.bundleFilename}"; in { options.mtls = { enable = lib.mkEnableOption "Enable mTLS"; caURL = lib.mkOption { description = "URL to the certificate authority"; type = lib.types.str; }; subject = lib.mkOption { description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN."; type = lib.types.str; }; certDir = lib.mkOption { description = "String path to where the mtls certs will be stored."; type = lib.types.str; default = "/etc/step"; }; keyFilename = lib.mkOption { description = "String filename for the private key"; type = lib.types.str; default = "key.pem"; }; certFilename = lib.mkOption { description = "String filename for the public certificate"; type = lib.types.str; default = "cert.pem"; }; bundleFilename = lib.mkOption { description = "String filename for the mTLS key bundle"; type = lib.types.str; default = "mtls.pem"; }; }; config = { environment.systemPackages = with pkgs; lib.optionals cfg.enable [ (writeShellScriptBin "mtls-generate" '' set -euo pipefail ${lib.getExe pkgs.step-cli} ca certificate \ ${cfg.subject} ${tlsCert} ${tlsKey} \ --ca-url ${cfg.caURL} \ --root ${cfg.certDir}/certs/root_ca.crt \ --provisioner admin \ --san 192.168.1.85 \ --san spiffe://john-stream.com/ubuntu cat ${tlsCert} ${tlsKey} > ${mtlsBundle} '') (writeShellScriptBin "mtls-check" '' ${lib.getExe pkgs.openssl} x509 \ -noout -subject -issuer \ -ext subjectAltName,extendedKeyUsage \ -enddate -in ${mtlsBundle} '') ]; }; }; }