sys/pki: build fullchains from cert+crl+issuer

5 files changed, 53 insertions, 155 deletions

diff --git a/sys/pki/ca.nix b/sys/pki/ca.nix
new file mode 100644
index 0000000..4e8f841
--- /dev/null
+++ b/sys/pki/ca.nix
@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.local.pki.ca;
+in
+{
+  options.local.pki.ca = mkOption {
+    readOnly = true;
+
+    type = with lib.types; attrsOf (submodule ({ config, name, ... }: {
+      options = {
+        cert = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        crl = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        fullchain = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        issuer = mkOption {
+          type = nullOr str;
+          readOnly = true;
+        };
+      };
+
+      config.fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
+        (concatStrings (map readFile
+          ([ config.cert config.crl ] ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
+    }));
+  };
+
+  config.local.pki.ca = {
+    mail = {
+      crl = ./public/mail-crl.pem;
+      cert = ./public/mail-ca.pem;
+      issuer = "root";
+    };
+
+    root = {
+      crl = ./public/root-crl.pem;
+      cert = ./public/root-ca.pem;
+      issuer = null;
+    };
+  };
+}
diff --git a/sys/pki/chains/default.nix b/sys/pki/chains/default.nix
deleted file mode 100644
index 5bbde43..0000000
--- a/sys/pki/chains/default.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ lib, ... }:
-with lib; {
-  options.local.pki.chains =
-    let
-      chainType = mkOption {
-        type = types.path;
-        readOnly = true;
-      };
-    in
-    {
-      mail-fullchain-crl = chainType;
-    };
-
-  config.local.pki.chains = {
-    # Orden de concatenación de mail-fullchain-crl.crt:
-    # - Issuing CA cert
-    # - Issuing CA CRL
-    # - Intermediate CA cert
-    # - Intermediate CA CRL
-    # - Root CA cert
-    # - Root CA CRL
-    mail-fullchain-crl = ./mail-fullchain-crl.crt;
-  };
-}
diff --git a/sys/pki/chains/mail-fullchain-crl.crt b/sys/pki/chains/mail-fullchain-crl.crt
deleted file mode 100644
index 90f12c0..0000000
--- a/sys/pki/chains/mail-fullchain-crl.crt
+++ /dev/null
@@ -1,130 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            e6:3b:3b:e5:2a:74:f9:9c:b6:8f:75:c8:69:1b:45:04
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=34project.org root CA
-        Validity
-            Not Before: Feb 10 16:40:27 2023 GMT
-            Not After : May 15 16:40:27 2025 GMT
-        Subject: CN=34project.org mail CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b2:ba:de:e3:b2:4f:9a:fd:13:ae:2c:ab:24:b1:
-                    6a:f5:cc:82:d1:6e:cd:6c:23:50:98:23:f6:18:da:
-                    aa:cd:3a:90:1d:2a:7a:c3:ca:75:95:a6:3a:ee:bb:
-                    6f:b3:9e:60:5a:e7:7a:cc:15:46:e2:3a:0f:10:6b:
-                    12:11:ca:21:66:85:01:96:d3:97:c8:bf:af:4a:c1:
-                    7b:81:ee:d4:74:fb:77:d1:99:e2:16:c1:bf:f8:df:
-                    07:9a:56:05:10:5e:60:54:f8:b3:4d:ec:73:f6:4a:
-                    e0:a7:84:2a:da:9d:20:1f:8a:c8:db:82:06:3c:15:
-                    75:6f:7b:d1:48:07:a9:63:af:a3:95:50:58:be:d7:
-                    7e:68:a9:16:17:53:73:25:61:8e:2c:f8:0b:ac:e9:
-                    b0:a9:c7:2f:7a:a5:64:31:76:e3:92:a7:68:81:ae:
-                    f3:e6:c4:7a:2f:98:f7:e4:3f:6a:f2:98:1a:54:fc:
-                    03:09:f7:88:3c:a2:cb:ed:f8:bc:cb:69:f5:19:62:
-                    34:d8:a1:72:9e:0e:db:2b:7c:23:95:4d:70:2e:c7:
-                    5a:6f:90:46:45:44:69:c9:3e:b9:60:76:cb:b2:fd:
-                    3e:d9:3f:82:47:2a:4e:5f:e9:69:d9:65:a9:7e:18:
-                    83:3e:b5:bc:fb:ce:4e:6a:3a:4d:1b:d7:9c:7a:02:
-                    fe:23
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                25:09:32:4B:06:AD:34:A1:3A:F0:FA:97:E3:A4:DE:F9:C2:E0:26:BA
-            X509v3 Authority Key Identifier: 
-                keyid:BA:7A:D0:D7:F3:F6:A1:29:27:7C:6F:E0:95:3F:3D:F8:73:8A:51:BE
-                DirName:/CN=34project.org root CA
-                serial:03:C0:A5:81:CF:66:7D:BC:59:92:2D:FB:B9:C5:9C:59:C0:FB:34:ED
-            X509v3 Key Usage: 
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-    Signature Value:
-        93:fa:59:c2:a2:22:ed:cc:96:d8:32:36:ed:3a:b9:25:36:d4:
-        ed:ba:99:1b:aa:d0:dc:07:7a:3c:0e:97:68:77:5a:97:d1:5d:
-        f3:7d:88:65:8a:b6:1f:b1:18:ce:c2:49:85:68:a9:9b:f3:67:
-        21:71:bf:f8:1e:4a:44:35:ed:68:15:93:ea:ab:c8:00:3b:82:
-        31:a1:c1:59:71:71:04:25:ec:c5:4d:98:4a:ba:32:28:7d:14:
-        36:c3:d3:d0:84:48:86:13:f7:67:0d:90:dd:a8:52:1d:2d:a1:
-        1c:07:20:56:7d:05:9b:ec:8f:30:48:c3:a0:14:5d:93:5e:b3:
-        73:12:5d:89:41:74:84:8c:7f:66:d0:ff:41:36:d5:94:10:bd:
-        ad:0e:ca:79:52:f0:ca:81:a2:3b:84:ea:f4:0f:af:0a:95:13:
-        22:4f:83:8b:18:4e:33:9d:ec:d3:fb:aa:d9:77:e2:48:5d:1e:
-        07:fe:c5:41:4d:b2:41:9f:95:76:60:82:ff:6e:68:d7:ba:88:
-        b3:5f:e2:e6:fc:db:40:82:3f:fe:0b:d9:0b:e5:d8:d4:24:60:
-        99:7d:3c:4d:3c:af:71:d3:5b:32:c9:0e:70:77:c1:fa:d9:d3:
-        7f:45:0a:d4:da:a2:b1:9d:7a:1e:ca:2e:74:f3:9c:1f:ae:22:
-        60:5c:04:26
------BEGIN CERTIFICATE-----
-MIIDZjCCAk6gAwIBAgIRAOY7O+UqdPmcto91yGkbRQQwDQYJKoZIhvcNAQELBQAw
-IDEeMBwGA1UEAwwVMzRwcm9qZWN0Lm9yZyByb290IENBMB4XDTIzMDIxMDE2NDAy
-N1oXDTI1MDUxNTE2NDAyN1owIDEeMBwGA1UEAwwVMzRwcm9qZWN0Lm9yZyBtYWls
-IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsrre47JPmv0Triyr
-JLFq9cyC0W7NbCNQmCP2GNqqzTqQHSp6w8p1laY67rtvs55gWud6zBVG4joPEGsS
-EcohZoUBltOXyL+vSsF7ge7UdPt30ZniFsG/+N8HmlYFEF5gVPizTexz9krgp4Qq
-2p0gH4rI24IGPBV1b3vRSAepY6+jlVBYvtd+aKkWF1NzJWGOLPgLrOmwqccveqVk
-MXbjkqdoga7z5sR6L5j35D9q8pgaVPwDCfeIPKLL7fi8y2n1GWI02KFyng7bK3wj
-lU1wLsdab5BGRURpyT65YHbLsv0+2T+CRypOX+lp2WWpfhiDPrW8+85OajpNG9ec
-egL+IwIDAQABo4GaMIGXMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFCUJMksGrTSh
-OvD6l+Ok3vnC4Ca6MFsGA1UdIwRUMFKAFLp60Nfz9qEpJ3xv4JU/PfhzilG+oSSk
-IjAgMR4wHAYDVQQDDBUzNHByb2plY3Qub3JnIHJvb3QgQ0GCFAPApYHPZn28WZIt
-+7nFnFnA+zTtMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAk/pZwqIi
-7cyW2DI27Tq5JTbU7bqZG6rQ3Ad6PA6XaHdal9Fd832IZYq2H7EYzsJJhWipm/Nn
-IXG/+B5KRDXtaBWT6qvIADuCMaHBWXFxBCXsxU2YSroyKH0UNsPT0IRIhhP3Zw2Q
-3ahSHS2hHAcgVn0Fm+yPMEjDoBRdk16zcxJdiUF0hIx/ZtD/QTbVlBC9rQ7KeVLw
-yoGiO4Tq9A+vCpUTIk+DixhOM53s0/uq2XfiSF0eB/7FQU2yQZ+VdmCC/25o17qI
-s1/i5vzbQII//gvZC+XY1CRgmX08TTyvcdNbMskOcHfB+tnTf0UK1NqisZ16Hsou
-dPOcH64iYFwEJg==
------END CERTIFICATE-----
------BEGIN X509 CRL-----
-MIICNTCCAR0CAQEwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAwwVMzRwcm9qZWN0
-Lm9yZyBtYWlsIENBFw0yNDAyMTIwMDE0MjZaFw0yNDA4MTAwMDE0MjZaMGswIQIQ
-YQYMnNsJmU16Nod0NqOe2hcNMjQwMjExMjM1MTE2WjAiAhEAx7M3iEcU0r0A3Fko
-x+HCgBcNMjQwMjEyMDAxNDE2WjAiAhEA7wV44s24HKZ+FzGA+zEO4BcNMjQwMjEx
-MjM0NDM1WqBcMFowWAYDVR0jBFEwT4AUJQkySwatNKE68PqX46Te+cLgJrqhJKQi
-MCAxHjAcBgNVBAMMFTM0cHJvamVjdC5vcmcgcm9vdCBDQYIRAOY7O+UqdPmcto91
-yGkbRQQwDQYJKoZIhvcNAQELBQADggEBAAgWrSFwIAqjdP3ENQI4mO6RilmxYcju
-1nZ5DDIUVrvAyjhtHYmyBxEfdW2gcUkcRsF/bQmoAMp+S6gVE9qR7R1M8GIufcBO
-v45wDosr3hMYzGdUj9yUrzaCqeOjPpiuA33yGl6mBDgadZ0TInp1w9odI5nf+MfG
-d7Xjhh4ULC46chvHjSiUqbUWuGQBjpTLPonmcmOka9cK6VXYrisjaEIOS9bWu2BM
-WK2hP9MM9QWaqD/rcdFns+BX191q84JSRzg1f522MNxZYv6h0Xdw2zpFJ6z/fi3Q
-/MI7FlGoDawwh6JMDjqvlL7EUJm/Zg/S9nz4r1k3mR87VdP0125VlXo=
------END X509 CRL-----
------BEGIN CERTIFICATE-----
-MIIDaTCCAlGgAwIBAgIUA8Clgc9mfbxZki37ucWcWcD7NO0wDQYJKoZIhvcNAQEL
-BQAwIDEeMBwGA1UEAwwVMzRwcm9qZWN0Lm9yZyByb290IENBMB4XDTIzMDIxMDE2
-MjYyM1oXDTMzMDIwNzE2MjYyM1owIDEeMBwGA1UEAwwVMzRwcm9qZWN0Lm9yZyBy
-b290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApmERwjvZr/4i
-cy2DY2O11gmjfHqumpKOpSAiP2+MWHniXFxCI6EualHJ5EhMDCuukibeBBWRCCbE
-MZnkVsIxEM9TrpIr1AGODohqPyNjfQX+dBP2pChI79TGaQsPSL6NQltZbO5tYMjO
-0k2JcwvVy7yhtpWf9HTNV+VdeIW2/WGtqN3OQwgBeILHAp2cP2SaGV5Op587QY91
-jwSDYUpF29XeBc5Qw7zxLm4v4junL9IbdhXpoy+XaN2tfpUJdMLLGYjddWNhlBZf
-+SsrVw2bm0KzpYnTet7di82YcpBjLBWWTlUwpg+t57hiFYMYPkZbe4SEL5oipnkD
-lhIkFlFoWwIDAQABo4GaMIGXMB0GA1UdDgQWBBS6etDX8/ahKSd8b+CVPz34c4pR
-vjBbBgNVHSMEVDBSgBS6etDX8/ahKSd8b+CVPz34c4pRvqEkpCIwIDEeMBwGA1UE
-AwwVMzRwcm9qZWN0Lm9yZyByb290IENBghQDwKWBz2Z9vFmSLfu5xZxZwPs07TAM
-BgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAh725
-BU8/KqppUThpnSdQSldDT4I5whYymfxmJ1OqktvMoLl/AZUWh4VN2j/XlOd+3M4f
-1lbDz7Q1mfgING7Pz97A9ldm23RQCPk44xRhGq+W9r6VGa+Xa4vwgPG+4UP2CoaS
-U6egqfakHyePMFYd2XOEq5Eub8g5HAHX/p9p+cYEjMRM1xd2bOgclwlCLYnQQvby
-oZCpcZ4gFSdiAv6f8oOc0cLAK/385HtIr3BSe/7oCN6YkQ/K1p6odLO0KLuy0PQG
-TRFEif3cGLCsr73N+VJJ6Y4oUf/ZDJpQeLn8gWst0GLMSIcE7c6szeVMhwZvlnLX
-kLd9i8BdMNHiIsYdWw==
------END CERTIFICATE-----
------BEGIN X509 CRL-----
-MIIByjCBswIBATANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDDBUzNHByb2plY3Qu
-b3JnIHJvb3QgQ0EXDTI0MDIxMjAwMTUwNVoXDTI0MDgxMDAwMTUwNVqgXzBdMFsG
-A1UdIwRUMFKAFLp60Nfz9qEpJ3xv4JU/PfhzilG+oSSkIjAgMR4wHAYDVQQDDBUz
-NHByb2plY3Qub3JnIHJvb3QgQ0GCFAPApYHPZn28WZIt+7nFnFnA+zTtMA0GCSqG
-SIb3DQEBCwUAA4IBAQAe0ta/QVGw1oqXzUEA6D1h7ATYvl0rieOKTxc2U84OrzHH
-qUdszri+vsJReTbvwE9o4YIpS1WgU00EXrCkY4TvtvRDJID4lTkSDfw4tv590mfQ
-hNW27WW9hg/ucZXZQ7Tj9yzNI3S9/0o770PRf2AHaYRhsn8FoqA8BkgNK7u4XU6q
-EtfGZpEzRGNhsj2fBCeGUVS5n78x+r9rtATF+7xXcMWj2bxvYqMRXvjkefFgHdYo
-L0jVdD7o4KWYF0NSlsL9ZoeN1AJIDhc8mFhaXkxz8wbIXNaV3wmsG83zcOFIYg3K
-XTbwbhNVBRfq+HmpMO4qFh/Ns4vAKUufOW805L8s
------END X509 CRL-----
diff --git a/sys/pki/default.nix b/sys/pki/default.nix
index 25f9f33..cca5964 100644
--- a/sys/pki/default.nix
+++ b/sys/pki/default.nix
@@ -1,5 +1,5 @@
 {
   imports = [
-    ./chains
+    ./ca.nix
   ];
 }
diff --git a/sys/pki/public/README.md b/sys/pki/public/README.md
new file mode 100644
index 0000000..37073ba
--- /dev/null
+++ b/sys/pki/public/README.md
@@ -0,0 +1 @@
+# This directory has been lustrated.