sys/pki: build fullchains from cert+crl+issuer

author: Alejandro Soto <alejandro@34project.org> 2024-07-20 16:41:14 -0600
committer: Alejandro Soto <alejandro@34project.org> 2024-07-20 18:01:46 -0600
commit: 181200e62d929df7e632e581547a01c71eeefc2a (patch)
tree: 47656d59031d59ffe40aa0bc9cf4f31d0c4cd212 /sys/pki/ca.nix
parent: 0ed17847d32885b3400dd7f33920898445a7a505 (diff)
1 files changed, 51 insertions, 0 deletions
diff --git a/sys/pki/ca.nix b/sys/pki/ca.nix
new file mode 100644
index 0000000..4e8f841
--- /dev/null
+++ b/sys/pki/ca.nix
@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.local.pki.ca;
+in
+{
+  options.local.pki.ca = mkOption {
+    readOnly = true;
+
+    type = with lib.types; attrsOf (submodule ({ config, name, ... }: {
+      options = {
+        cert = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        crl = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        fullchain = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        issuer = mkOption {
+          type = nullOr str;
+          readOnly = true;
+        };
+      };
+
+      config.fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
+        (concatStrings (map readFile
+          ([ config.cert config.crl ] ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
+    }));
+  };
+
+  config.local.pki.ca = {
+    mail = {
+      crl = ./public/mail-crl.pem;
+      cert = ./public/mail-ca.pem;
+      issuer = "root";
+    };
+
+    root = {
+      crl = ./public/root-crl.pem;
+      cert = ./public/root-ca.pem;
+      issuer = null;
+    };
+  };
+}
author	Alejandro Soto <alejandro@34project.org>	2024-07-20 16:41:14 -0600
committer	Alejandro Soto <alejandro@34project.org>	2024-07-20 18:01:46 -0600
commit	181200e62d929df7e632e581547a01c71eeefc2a (patch)
tree	47656d59031d59ffe40aa0bc9cf4f31d0c4cd212 /sys/pki/ca.nix
parent	0ed17847d32885b3400dd7f33920898445a7a505 (diff)