diff options
| author | Alejandro Soto <alejandro@34project.org> | 2024-07-28 13:23:37 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2024-07-28 13:23:57 -0600 |
| commit | bd30588eac90b498457c7e0b5687a33e7585425a (patch) | |
| tree | 068404d578f686a2e9f8bef0cf1a41911808a5b4 /pki/ca.nix | |
| parent | baf553ca73b842062aaf957a227fcb18ebfdf5ae (diff) | |
pki: rename from sys/pki, import in home
Diffstat (limited to 'pki/ca.nix')
| -rw-r--r-- | pki/ca.nix | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/pki/ca.nix b/pki/ca.nix new file mode 100644 index 0000000..70640be --- /dev/null +++ b/pki/ca.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, ... }: +with lib; let + cfg = config.local.pki.ca; + + inherit (pkgs.buildPackages) openssl; + + certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: { + options = { + cert = mkOption { + type = path; + readOnly = true; + }; + + fingerprint.sha256 = mkOption { + type = str; + readOnly = true; + }; + + fullchain = mkOption { + type = path; + readOnly = true; + }; + + issuer = mkOption { + type = nullOr str; + readOnly = true; + }; + + path = mkOption { + type = str; + readOnly = true; + }; + } // optionalAttrs (leafOf != null) { + commonName = mkOption { + type = str; + readOnly = true; + }; + } // optionalAttrs (leafOf == null) { + crl = mkOption { + type = path; + readOnly = true; + }; + + certWithCrl = mkOption { + type = path; + readOnly = true; + }; + + leaves = mkOption { + type = certsType name; + readOnly = true; + }; + }; + + config = { + fingerprint.sha256 = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } '' + ${openssl}/bin/openssl x509 -in ${config.cert} -noout -sha256 -fingerprint \ + | sed 's/^.*=//' \ + | tr -d $'\n' \ + >$out + ''); + + fullchain = pkgs.writeText "${name}-fullchain-crl.pem" + (concatStrings (map readFile + (singleton (if leafOf != null then config.cert else config.certWithCrl) + ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain))); + + path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name; + } // optionalAttrs (leafOf != null) { + commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } '' + ${openssl}/bin/openssl x509 -in ${config.cert} -noout -subject -nameopt multiline \ + | grep commonName \ + | sed 's/^.*=\s*//' \ + | tr -d $'\n' \ + >$out + ''); + + issuer = leafOf; + } // optionalAttrs (leafOf == null) { + certWithCrl = pkgs.writeText "${name}-cert-crl.pem" + (concatStrings (map readFile [ config.cert config.crl ])); + }; + })); +in +{ + options.local.pki.ca = mkOption { + type = certsType null; + readOnly = true; + }; +} |