5 files changed, 161 insertions, 8 deletions

diff --git a/sys/default.nix b/sys/default.nix
index 41eb882..7e06bb4 100644
--- a/sys/default.nix
+++ b/sys/default.nix
@@ -19,6 +19,7 @@ with lib; {
     ./mta
     ./net
     ./nspawn
+    ./pki
     ./preset
     ./seat
     ./virt
diff --git a/sys/mail/default.nix b/sys/mail/default.nix
index 5b7e4b5..71678e3 100644
--- a/sys/mail/default.nix
+++ b/sys/mail/default.nix
@@ -106,14 +106,7 @@ in
 
             #TODO: automatizar implantación de archivo de CA
 
-            # Orden de concatenación de mail-fullchain-crl.crt:
-            # - Issuing CA cert
-            # - Issuing CA CRL
-            # - Intermediate CA cert
-            # - Intermediate CA CRL
-            # - Root CA cert
-            # - Root CA CRL
-            ssl_ca = </var/trust/ca/mail-fullchain-crl.crt
+            ssl_ca = <${config.local.ca.chains.mail-fullchain-crl}
             ssl_require_crl = yes
             ssl_verify_client_cert = yes
 
diff --git a/sys/pki/chains/default.nix b/sys/pki/chains/default.nix
new file mode 100644
index 0000000..5bbde43
--- /dev/null
+++ b/sys/pki/chains/default.nix
@@ -0,0 +1,24 @@
+{ lib, ... }:
+with lib; {
+  options.local.pki.chains =
+    let
+      chainType = mkOption {
+        type = types.path;
+        readOnly = true;
+      };
+    in
+    {
+      mail-fullchain-crl = chainType;
+    };
+
+  config.local.pki.chains = {
+    # Orden de concatenación de mail-fullchain-crl.crt:
+    # - Issuing CA cert
+    # - Issuing CA CRL
+    # - Intermediate CA cert
+    # - Intermediate CA CRL
+    # - Root CA cert
+    # - Root CA CRL
+    mail-fullchain-crl = ./mail-fullchain-crl.crt;
+  };
+}
diff --git a/sys/pki/chains/mail-fullchain-crl.crt b/sys/pki/chains/mail-fullchain-crl.crt
new file mode 100644
index 0000000..90f12c0
--- /dev/null
+++ b/sys/pki/chains/mail-fullchain-crl.crt
@@ -0,0 +1,130 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e6:3b:3b:e5:2a:74:f9:9c:b6:8f:75:c8:69:1b:45:04
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=34project.org root CA
+        Validity
+            Not Before: Feb 10 16:40:27 2023 GMT
+            Not After : May 15 16:40:27 2025 GMT
+        Subject: CN=34project.org mail CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b2:ba:de:e3:b2:4f:9a:fd:13:ae:2c:ab:24:b1:
+                    6a:f5:cc:82:d1:6e:cd:6c:23:50:98:23:f6:18:da:
+                    aa:cd:3a:90:1d:2a:7a:c3:ca:75:95:a6:3a:ee:bb:
+                    6f:b3:9e:60:5a:e7:7a:cc:15:46:e2:3a:0f:10:6b:
+                    12:11:ca:21:66:85:01:96:d3:97:c8:bf:af:4a:c1:
+                    7b:81:ee:d4:74:fb:77:d1:99:e2:16:c1:bf:f8:df:
+                    07:9a:56:05:10:5e:60:54:f8:b3:4d:ec:73:f6:4a:
+                    e0:a7:84:2a:da:9d:20:1f:8a:c8:db:82:06:3c:15:
+                    75:6f:7b:d1:48:07:a9:63:af:a3:95:50:58:be:d7:
+                    7e:68:a9:16:17:53:73:25:61:8e:2c:f8:0b:ac:e9:
+                    b0:a9:c7:2f:7a:a5:64:31:76:e3:92:a7:68:81:ae:
+                    f3:e6:c4:7a:2f:98:f7:e4:3f:6a:f2:98:1a:54:fc:
+                    03:09:f7:88:3c:a2:cb:ed:f8:bc:cb:69:f5:19:62:
+                    34:d8:a1:72:9e:0e:db:2b:7c:23:95:4d:70:2e:c7:
+                    5a:6f:90:46:45:44:69:c9:3e:b9:60:76:cb:b2:fd:
+                    3e:d9:3f:82:47:2a:4e:5f:e9:69:d9:65:a9:7e:18:
+                    83:3e:b5:bc:fb:ce:4e:6a:3a:4d:1b:d7:9c:7a:02:
+                    fe:23
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                25:09:32:4B:06:AD:34:A1:3A:F0:FA:97:E3:A4:DE:F9:C2:E0:26:BA
+            X509v3 Authority Key Identifier: 
+                keyid:BA:7A:D0:D7:F3:F6:A1:29:27:7C:6F:E0:95:3F:3D:F8:73:8A:51:BE
+                DirName:/CN=34project.org root CA
+                serial:03:C0:A5:81:CF:66:7D:BC:59:92:2D:FB:B9:C5:9C:59:C0:FB:34:ED
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        93:fa:59:c2:a2:22:ed:cc:96:d8:32:36:ed:3a:b9:25:36:d4:
+        ed:ba:99:1b:aa:d0:dc:07:7a:3c:0e:97:68:77:5a:97:d1:5d:
+        f3:7d:88:65:8a:b6:1f:b1:18:ce:c2:49:85:68:a9:9b:f3:67:
+        21:71:bf:f8:1e:4a:44:35:ed:68:15:93:ea:ab:c8:00:3b:82:
+        31:a1:c1:59:71:71:04:25:ec:c5:4d:98:4a:ba:32:28:7d:14:
+        36:c3:d3:d0:84:48:86:13:f7:67:0d:90:dd:a8:52:1d:2d:a1:
+        1c:07:20:56:7d:05:9b:ec:8f:30:48:c3:a0:14:5d:93:5e:b3:
+        73:12:5d:89:41:74:84:8c:7f:66:d0:ff:41:36:d5:94:10:bd:
+        ad:0e:ca:79:52:f0:ca:81:a2:3b:84:ea:f4:0f:af:0a:95:13:
+        22:4f:83:8b:18:4e:33:9d:ec:d3:fb:aa:d9:77:e2:48:5d:1e:
+        07:fe:c5:41:4d:b2:41:9f:95:76:60:82:ff:6e:68:d7:ba:88:
+        b3:5f:e2:e6:fc:db:40:82:3f:fe:0b:d9:0b:e5:d8:d4:24:60:
+        99:7d:3c:4d:3c:af:71:d3:5b:32:c9:0e:70:77:c1:fa:d9:d3:
+        7f:45:0a:d4:da:a2:b1:9d:7a:1e:ca:2e:74:f3:9c:1f:ae:22:
+        60:5c:04:26
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAk6gAwIBAgIRAOY7O+UqdPmcto91yGkbRQQwDQYJKoZIhvcNAQELBQAw
+IDEeMBwGA1UEAwwVMzRwcm9qZWN0Lm9yZyByb290IENBMB4XDTIzMDIxMDE2NDAy
+N1oXDTI1MDUxNTE2NDAyN1owIDEeMBwGA1UEAwwVMzRwcm9qZWN0Lm9yZyBtYWls
+IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsrre47JPmv0Triyr
+JLFq9cyC0W7NbCNQmCP2GNqqzTqQHSp6w8p1laY67rtvs55gWud6zBVG4joPEGsS
+EcohZoUBltOXyL+vSsF7ge7UdPt30ZniFsG/+N8HmlYFEF5gVPizTexz9krgp4Qq
+2p0gH4rI24IGPBV1b3vRSAepY6+jlVBYvtd+aKkWF1NzJWGOLPgLrOmwqccveqVk
+MXbjkqdoga7z5sR6L5j35D9q8pgaVPwDCfeIPKLL7fi8y2n1GWI02KFyng7bK3wj
+lU1wLsdab5BGRURpyT65YHbLsv0+2T+CRypOX+lp2WWpfhiDPrW8+85OajpNG9ec
+egL+IwIDAQABo4GaMIGXMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFCUJMksGrTSh
+OvD6l+Ok3vnC4Ca6MFsGA1UdIwRUMFKAFLp60Nfz9qEpJ3xv4JU/PfhzilG+oSSk
+IjAgMR4wHAYDVQQDDBUzNHByb2plY3Qub3JnIHJvb3QgQ0GCFAPApYHPZn28WZIt
++7nFnFnA+zTtMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAk/pZwqIi
+7cyW2DI27Tq5JTbU7bqZG6rQ3Ad6PA6XaHdal9Fd832IZYq2H7EYzsJJhWipm/Nn
+IXG/+B5KRDXtaBWT6qvIADuCMaHBWXFxBCXsxU2YSroyKH0UNsPT0IRIhhP3Zw2Q
+3ahSHS2hHAcgVn0Fm+yPMEjDoBRdk16zcxJdiUF0hIx/ZtD/QTbVlBC9rQ7KeVLw
+yoGiO4Tq9A+vCpUTIk+DixhOM53s0/uq2XfiSF0eB/7FQU2yQZ+VdmCC/25o17qI
+s1/i5vzbQII//gvZC+XY1CRgmX08TTyvcdNbMskOcHfB+tnTf0UK1NqisZ16Hsou
+dPOcH64iYFwEJg==
+-----END CERTIFICATE-----
+-----BEGIN X509 CRL-----
+MIICNTCCAR0CAQEwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAwwVMzRwcm9qZWN0
+Lm9yZyBtYWlsIENBFw0yNDAyMTIwMDE0MjZaFw0yNDA4MTAwMDE0MjZaMGswIQIQ
+YQYMnNsJmU16Nod0NqOe2hcNMjQwMjExMjM1MTE2WjAiAhEAx7M3iEcU0r0A3Fko
+x+HCgBcNMjQwMjEyMDAxNDE2WjAiAhEA7wV44s24HKZ+FzGA+zEO4BcNMjQwMjEx
+MjM0NDM1WqBcMFowWAYDVR0jBFEwT4AUJQkySwatNKE68PqX46Te+cLgJrqhJKQi
+MCAxHjAcBgNVBAMMFTM0cHJvamVjdC5vcmcgcm9vdCBDQYIRAOY7O+UqdPmcto91
+yGkbRQQwDQYJKoZIhvcNAQELBQADggEBAAgWrSFwIAqjdP3ENQI4mO6RilmxYcju
+1nZ5DDIUVrvAyjhtHYmyBxEfdW2gcUkcRsF/bQmoAMp+S6gVE9qR7R1M8GIufcBO
+v45wDosr3hMYzGdUj9yUrzaCqeOjPpiuA33yGl6mBDgadZ0TInp1w9odI5nf+MfG
+d7Xjhh4ULC46chvHjSiUqbUWuGQBjpTLPonmcmOka9cK6VXYrisjaEIOS9bWu2BM
+WK2hP9MM9QWaqD/rcdFns+BX191q84JSRzg1f522MNxZYv6h0Xdw2zpFJ6z/fi3Q
+/MI7FlGoDawwh6JMDjqvlL7EUJm/Zg/S9nz4r1k3mR87VdP0125VlXo=
+-----END X509 CRL-----
+-----BEGIN CERTIFICATE-----
+MIIDaTCCAlGgAwIBAgIUA8Clgc9mfbxZki37ucWcWcD7NO0wDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVMzRwcm9qZWN0Lm9yZyByb290IENBMB4XDTIzMDIxMDE2
+MjYyM1oXDTMzMDIwNzE2MjYyM1owIDEeMBwGA1UEAwwVMzRwcm9qZWN0Lm9yZyBy
+b290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApmERwjvZr/4i
+cy2DY2O11gmjfHqumpKOpSAiP2+MWHniXFxCI6EualHJ5EhMDCuukibeBBWRCCbE
+MZnkVsIxEM9TrpIr1AGODohqPyNjfQX+dBP2pChI79TGaQsPSL6NQltZbO5tYMjO
+0k2JcwvVy7yhtpWf9HTNV+VdeIW2/WGtqN3OQwgBeILHAp2cP2SaGV5Op587QY91
+jwSDYUpF29XeBc5Qw7zxLm4v4junL9IbdhXpoy+XaN2tfpUJdMLLGYjddWNhlBZf
++SsrVw2bm0KzpYnTet7di82YcpBjLBWWTlUwpg+t57hiFYMYPkZbe4SEL5oipnkD
+lhIkFlFoWwIDAQABo4GaMIGXMB0GA1UdDgQWBBS6etDX8/ahKSd8b+CVPz34c4pR
+vjBbBgNVHSMEVDBSgBS6etDX8/ahKSd8b+CVPz34c4pRvqEkpCIwIDEeMBwGA1UE
+AwwVMzRwcm9qZWN0Lm9yZyByb290IENBghQDwKWBz2Z9vFmSLfu5xZxZwPs07TAM
+BgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAh725
+BU8/KqppUThpnSdQSldDT4I5whYymfxmJ1OqktvMoLl/AZUWh4VN2j/XlOd+3M4f
+1lbDz7Q1mfgING7Pz97A9ldm23RQCPk44xRhGq+W9r6VGa+Xa4vwgPG+4UP2CoaS
+U6egqfakHyePMFYd2XOEq5Eub8g5HAHX/p9p+cYEjMRM1xd2bOgclwlCLYnQQvby
+oZCpcZ4gFSdiAv6f8oOc0cLAK/385HtIr3BSe/7oCN6YkQ/K1p6odLO0KLuy0PQG
+TRFEif3cGLCsr73N+VJJ6Y4oUf/ZDJpQeLn8gWst0GLMSIcE7c6szeVMhwZvlnLX
+kLd9i8BdMNHiIsYdWw==
+-----END CERTIFICATE-----
+-----BEGIN X509 CRL-----
+MIIByjCBswIBATANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDDBUzNHByb2plY3Qu
+b3JnIHJvb3QgQ0EXDTI0MDIxMjAwMTUwNVoXDTI0MDgxMDAwMTUwNVqgXzBdMFsG
+A1UdIwRUMFKAFLp60Nfz9qEpJ3xv4JU/PfhzilG+oSSkIjAgMR4wHAYDVQQDDBUz
+NHByb2plY3Qub3JnIHJvb3QgQ0GCFAPApYHPZn28WZIt+7nFnFnA+zTtMA0GCSqG
+SIb3DQEBCwUAA4IBAQAe0ta/QVGw1oqXzUEA6D1h7ATYvl0rieOKTxc2U84OrzHH
+qUdszri+vsJReTbvwE9o4YIpS1WgU00EXrCkY4TvtvRDJID4lTkSDfw4tv590mfQ
+hNW27WW9hg/ucZXZQ7Tj9yzNI3S9/0o770PRf2AHaYRhsn8FoqA8BkgNK7u4XU6q
+EtfGZpEzRGNhsj2fBCeGUVS5n78x+r9rtATF+7xXcMWj2bxvYqMRXvjkefFgHdYo
+L0jVdD7o4KWYF0NSlsL9ZoeN1AJIDhc8mFhaXkxz8wbIXNaV3wmsG83zcOFIYg3K
+XTbwbhNVBRfq+HmpMO4qFh/Ns4vAKUufOW805L8s
+-----END X509 CRL-----
diff --git a/sys/pki/default.nix b/sys/pki/default.nix
new file mode 100644
index 0000000..25f9f33
--- /dev/null
+++ b/sys/pki/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./chains
+  ];
+}