john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
630e385fb198c544734ea6e2c778e69ba3fd2af7
dendritic/modules/hosts/janus/default.nix
T
John Lancaster ff70a35078 janus-ca pkg updates
2026-04-04 12:09:13 -05:00

116 lines
3.3 KiB
Nix
Raw Blame History

{ inputs, ... }:
let
username = "john";
hostname = "janus";
ca-url = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
in
{
flake.modules.nixos.janus-ca =
{ config, lib, ... }:
let
cfg = config.janus-ca;
johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config;
johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config;
cfgInEtc = lib.hasPrefix "/etc/" cfg.certDir;
certDirEtcPath =
if cfgInEtc then
lib.removePrefix "/etc/" cfg.certDir
else
cfg.certDir;
certRootEtcPath = "${certDirEtcPath}/root_ca.crt";
mkStepRules = home: user: group: [
"d ${home}/.step 0700 ${user} ${group} -"
"d ${home}/.step/config 0700 ${user} ${group} -"
"d ${home}/.step/certs 0700 ${user} ${group} -"
"L+ ${home}/.step/config/defaults.json - - - - /etc/step-ca/defaults.json"
"L+ ${home}/.step/certs/root_ca.crt - - - - ${cfg.certDir}/root_ca.crt"
];
in
{
options.janus-ca = {
certDir = lib.mkOption {
description = "String path to where the mtls certs will be stored.";
type = lib.types.str;
default = "/etc/step-ca/certs";
};
};
config = {
environment.etc = lib.mkIf cfgInEtc {
"step-ca/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint;
root = "/etc/${certRootEtcPath}";
};
"${certRootEtcPath}".source = ./root_ca.crt;
};
systemd.tmpfiles.rules =
mkStepRules johnHome username johnGroup
++ mkStepRules "/root" "root" "root";
};
};
flake.modules.homeManager.janus-ca = { config, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint;
root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
};
home.file.".step/certs/root_ca.crt".source = ./root_ca.crt;
};
flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
modules = with inputs.self.modules; [
nixos.lxc
nixos.mysops
nixos.step-ssh-host
nixos.janus-ca
inputs.home-manager.nixosModules.home-manager
nixos."${username}"
nixos.docker
nixos.login-text
nixos.mtls
{
networking.hostName = hostname;
step-ssh-host = {
hostname = hostname;
};
mtls = {
enable = true;
subject = hostname;
san = [
"${hostname}.john-stream.com"
"192.168.1.244"
];
};
home-manager.users."${username}" = {
imports = with inputs.self.modules.homeManager; [
mysops
step-ssh-user
];
shell.program = "zsh";
docker.enable = true;
};
}
];
};
flake-file.inputs = {
wrappers = {
url = "github:lassulus/wrappers";
inputs.nixpkgs.follows = "nixpkgs";
};
};
perSystem = { pkgs, lib, ... }: {
packages.janus-ca = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = pkgs.step-cli;
binName = "janus-cert";
args = [
"ca" "certificate"
"--ca-url=${ca-url}"
];
};
};
}
Reference in New Issue View Git Blame Copy Permalink