{ inputs, lib, ... }: let opts = { enable = lib.mkEnableOption "Enable mTLS"; caURL = lib.mkOption { description = "URL to the certificate authority"; type = lib.types.str; }; subject = lib.mkOption { description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN."; type = lib.types.str; }; keyFilename = lib.mkOption { description = "String filename for the private key"; type = lib.types.str; default = "key.pem"; }; certFilename = lib.mkOption { description = "String filename for the public certificate"; type = lib.types.str; default = "cert.pem"; }; bundleFilename = lib.mkOption { description = "String filename for the mTLS key bundle"; type = lib.types.str; default = "mtls.pem"; }; san = lib.mkOption { description = "List of SAN to give the mTLS cert"; type = lib.types.listOf lib.types.str; default = [ ]; }; provisioner = lib.mkOption { type = lib.types.str; default = "admin"; }; renew = { enable = lib.mkOption { description = "Enable automatic mTLS certificate renewal using a systemd timer."; type = lib.types.bool; default = true; }; onCalendar = lib.mkOption { description = "systemd OnCalendar schedule for mTLS certificate renewal checks."; type = lib.types.str; default = "*:1/15"; }; randomizedDelaySec = lib.mkOption { description = "Randomized delay added to renewal timer runs to avoid synchronized renewals."; type = lib.types.str; default = "5m"; }; reloadUnits = lib.mkOption { description = "systemd units to try-reload-or-restart after a successful certificate renewal."; type = lib.types.listOf lib.types.str; default = [ ]; }; postCommands = lib.mkOption { description = "Shell commands to run after a successful certificate renewal."; type = lib.types.listOf lib.types.lines; default = [ ]; }; }; }; in { flake.modules.nixos.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; certDir = cfg.certDir; tlsKey = "${certDir}/${cfg.keyFilename}"; tlsCert = "${certDir}/${cfg.certFilename}"; mtlsBundle = "${certDir}/${cfg.bundleFilename}"; rootCA = "${cfg.certDir}/certs/root_ca.crt"; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; renewReloadScript = lib.concatMapStringsSep "\n" (unit: '' if ${lib.getExe' pkgs.systemd "systemctl"} --quiet is-active "${unit}"; then ${lib.getExe' pkgs.systemd "systemctl"} try-reload-or-restart "${unit}" fi '') cfg.renew.reloadUnits; renewPostCommands = lib.concatStringsSep "\n" cfg.renew.postCommands; in { options.mtls = opts; config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; lib.optionals cfg.enable [ (writeShellScriptBin "mtls-generate" '' set -euo pipefail ${lib.getExe pkgs.step-cli} ca certificate \ ${cfg.subject} ${tlsCert} ${tlsKey} \ --ca-url ${cfg.caURL} \ --root ${rootCA} \ --provisioner ${cfg.provisioner} \ ${sanArgs} cat ${tlsCert} ${tlsKey} > ${mtlsBundle} '') (writeShellScriptBin "mtls-check" '' ${lib.getExe pkgs.openssl} x509 \ -noout -subject -issuer \ -ext subjectAltName,extendedKeyUsage \ -enddate -in ${mtlsBundle} '') ]; systemd.services.mtls-renew = lib.mkIf cfg.renew.enable { description = "Renew the mTLS certificate when Smallstep marks it ready"; wantedBy = [ ]; after = [ "network-online.target" ]; wants = [ "network-online.target" ]; path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ]; serviceConfig = { Type = "oneshot"; User = "root"; Group = "root"; }; script = '' set -euo pipefail if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then echo "Renewing mTLS certificate" else rc=$? if [ "$rc" -eq 1 ]; then echo "mTLS certificate does not need renewal" exit 0 fi if [ "$rc" -eq 2 ]; then echo "mTLS certificate missing: ${tlsCert}" >&2 exit 1 fi echo "step certificate needs-renewal failed with rc=$rc" >&2 exit "$rc" fi ${lib.getExe pkgs.step-cli} ca renew --force "${tlsCert}" "${tlsKey}" umask 077 cat "${tlsCert}" "${tlsKey}" > "${mtlsBundle}" ${renewReloadScript} ${renewPostCommands} ''; }; systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable { description = "Periodic Smallstep renewal for the mTLS certificate"; wantedBy = [ "timers.target" ]; timerConfig = { Persistent = true; OnCalendar = cfg.renew.onCalendar; AccuracySec = "1us"; RandomizedDelaySec = cfg.renew.randomizedDelaySec; Unit = "mtls-renew.service"; }; }; }; }; flake.modules.homeManager.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; certDir = cfg.certDir; tlsKey = "${certDir}/${cfg.keyFilename}"; tlsCert = "${certDir}/${cfg.certFilename}"; mtlsBundle = "${certDir}/${cfg.bundleFilename}"; rootCA = "${certDir}/root_ca.crt"; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; in { options.mtls = opts // { certDir = lib.mkOption { description = "String path to where the mtls certs will be stored."; type = lib.types.str; default ="${config.home.homeDirectory}/.step/certs"; }; }; config = { home.packages = with pkgs; [ step-cli (writeShellScriptBin "mtls-generate" '' set -euo pipefail ${lib.getExe pkgs.step-cli} ca certificate \ john-pc-ubuntu ${tlsCert} ${tlsKey} \ --provisioner ${cfg.provisioner} \ ${sanArgs} cat ${tlsCert} ${tlsKey} > ${mtlsBundle} '') (writeShellScriptBin "mtls-check" '' ${lib.getExe pkgs.openssl} x509 \ -noout -subject -issuer \ -ext subjectAltName,extendedKeyUsage \ -enddate -in ${mtlsBundle} '') ]; }; }; }