sys/jobs/pki-expiry: initial commit

1 files changed, 59 insertions, 0 deletions

diff --git a/sys/jobs/pki-expiry/default.nix b/sys/jobs/pki-expiry/default.nix
new file mode 100644
index 0000000..b61d6f5
--- /dev/null
+++ b/sys/jobs/pki-expiry/default.nix
@@ -0,0 +1,59 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.local.jobs.pkiExpiry;
+  inherit (config.local) pki;
+in
+{
+  options.local.jobs.pkiExpiry = {
+    enable = mkEnableOption "PKI expiration reminder";
+  };
+
+  config = mkIf cfg.enable {
+    systemd = {
+      services.pki-expiry = {
+        after = [ "postfix.service" ];
+        path = [ "/run/wrappers" ];
+
+        environment.PKI_PUBLIC =
+          let
+            mkdir = "mkdir -p $out/{ca,cert,crl}";
+
+            cas = mapAttrsToList (_: ca: "ln -s ${ca.cert} $out/ca/${ca.path}") pki.ca;
+            crls = mapAttrsToList (_: ca: "ln -s ${ca.crl} $out/crl/${ca.path}") pki.ca;
+
+            certs = mapAttrsToList
+              (path: leaf: "ln -s ${leaf.cert} $out/cert/${path}")
+              (filterAttrs (_: object: ! object ? leaves) pki.byPath);
+
+            pkiPublic = pkgs.runCommandNoCCLocal "pki-public" { } (concatLines ([ mkdir ] ++ cas ++ crls ++ certs));
+          in
+          "${pkiPublic}";
+
+        serviceConfig = {
+          Type = "oneshot";
+          StateDirectory = "pki-expiry";
+          WorkingDirectory = "/var/lib/pki-expiry";
+
+          ExecStart =
+            let
+              script = pkgs.writeShellApplication {
+                name = "pki-expiry";
+                text = readFile ./pki-expiry.sh;
+                runtimeInputs = with pkgs; [ diffutils openssl ];
+              };
+            in
+            "${getExe script}";
+        };
+      };
+
+      timers.pki-expiry = {
+        wantedBy = [ "timers.target" ];
+
+        timerConfig = {
+          OnStartupSec = "10m";
+          OnUnitInactiveSec = "3d";
+        };
+      };
+    };
+  };
+}