summaryrefslogtreecommitdiff
path: root/pki
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--pki/by-path.nix17
-rw-r--r--pki/ca.nix192
2 files changed, 117 insertions, 92 deletions
diff --git a/pki/by-path.nix b/pki/by-path.nix
index baca142..ebc46ef 100644
--- a/pki/by-path.nix
+++ b/pki/by-path.nix
@@ -1,15 +1,18 @@
-{ config, lib, ... }:
+{
+ config,
+ lib,
+ ...
+}:
with lib; {
options.local.pki.byPath = mkOption {
type = with lib.types; attrsOf unspecified;
readOnly = true;
};
- config.local.pki.byPath =
- let
- caWithLeaves = ca:
- singleton { "${ca.path}" = ca; }
- ++ map (leaf: { "${leaf.path}" = leaf; }) (attrValues ca.leaves);
- in
+ config.local.pki.byPath = let
+ caWithLeaves = ca:
+ singleton {"${ca.path}" = ca;}
+ ++ map (leaf: {"${leaf.path}" = leaf;}) (attrValues ca.leaves);
+ in
mergeAttrsList (flatten (map caWithLeaves (attrValues config.local.pki.ca)));
}
diff --git a/pki/ca.nix b/pki/ca.nix
index f0ca33d..f8e5847 100644
--- a/pki/ca.nix
+++ b/pki/ca.nix
@@ -1,105 +1,127 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
with lib; let
cfg = config.local.pki.ca;
openssl = getExe pkgs.buildPackages.openssl;
- certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: {
- options = {
- cert = mkOption {
- type = path;
- readOnly = true;
- };
+ certsType = leafOf:
+ with lib.types;
+ attrsOf (submodule ({
+ config,
+ name,
+ ...
+ }: {
+ options =
+ {
+ cert = mkOption {
+ type = path;
+ readOnly = true;
+ };
- fingerprint = {
- sha1-lower = mkOption {
- type = str;
- readOnly = true;
- };
+ fingerprint = {
+ sha1-lower = mkOption {
+ type = str;
+ readOnly = true;
+ };
- sha256-bytes-upper = mkOption {
- type = str;
- readOnly = true;
- };
- };
+ sha256-bytes-upper = mkOption {
+ type = str;
+ readOnly = true;
+ };
+ };
- fullchain = mkOption {
- type = path;
- readOnly = true;
- };
+ fullchain = mkOption {
+ type = path;
+ readOnly = true;
+ };
- issuer = mkOption {
- type = nullOr str;
- readOnly = true;
- };
+ issuer = mkOption {
+ type = nullOr str;
+ readOnly = true;
+ };
- path = mkOption {
- type = str;
- readOnly = true;
- };
- } // optionalAttrs (leafOf != null) {
- commonName = mkOption {
- type = str;
- readOnly = true;
- };
- } // optionalAttrs (leafOf == null) {
- crl = mkOption {
- type = path;
- readOnly = true;
- };
+ path = mkOption {
+ type = str;
+ readOnly = true;
+ };
+ }
+ // optionalAttrs (leafOf != null) {
+ commonName = mkOption {
+ type = str;
+ readOnly = true;
+ };
+ }
+ // optionalAttrs (leafOf == null) {
+ crl = mkOption {
+ type = path;
+ readOnly = true;
+ };
- certWithCrl = mkOption {
- type = path;
- readOnly = true;
- };
+ certWithCrl = mkOption {
+ type = path;
+ readOnly = true;
+ };
- leaves = mkOption {
- type = certsType name;
- readOnly = true;
- };
- };
+ leaves = mkOption {
+ type = certsType name;
+ readOnly = true;
+ };
+ };
- config = {
- fingerprint = {
- sha1-lower = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha1-lower" { } ''
- ${openssl} x509 -in ${config.cert} -noout -sha1 -fingerprint \
- | sed 's/^.*=//' \
- | tr -d $':\n' \
- | tr '[A-Z]' '[a-z]' \
- >>$out
- '');
+ config =
+ {
+ fingerprint = {
+ sha1-lower = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha1-lower" {} ''
+ ${openssl} x509 -in ${config.cert} -noout -sha1 -fingerprint \
+ | sed 's/^.*=//' \
+ | tr -d $':\n' \
+ | tr '[A-Z]' '[a-z]' \
+ >>$out
+ '');
- sha256-bytes-upper = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256-bytes-upper" { } ''
- ${openssl} x509 -in ${config.cert} -noout -sha256 -fingerprint \
- | sed 's/^.*=//' \
- | tr -d $'\n' \
- >>$out
- '');
- };
+ sha256-bytes-upper = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256-bytes-upper" {} ''
+ ${openssl} x509 -in ${config.cert} -noout -sha256 -fingerprint \
+ | sed 's/^.*=//' \
+ | tr -d $'\n' \
+ >>$out
+ '');
+ };
- fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
- (concatStrings (map readFile
- (singleton (if leafOf != null then config.cert else config.certWithCrl)
- ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
+ fullchain =
+ pkgs.writeText "${name}-fullchain-crl.pem"
+ (concatStrings (map readFile
+ (singleton (
+ if leafOf != null
+ then config.cert
+ else config.certWithCrl
+ )
+ ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
- path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name;
- } // optionalAttrs (leafOf != null) {
- commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-common-name" { } ''
- ${openssl} x509 -in ${config.cert} -noout -subject -nameopt multiline \
- | grep commonName \
- | sed 's/^.*=\s*//' \
- | tr -d $'\n' \
- >$out
- '');
+ path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name;
+ }
+ // optionalAttrs (leafOf != null) {
+ commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-common-name" {} ''
+ ${openssl} x509 -in ${config.cert} -noout -subject -nameopt multiline \
+ | grep commonName \
+ | sed 's/^.*=\s*//' \
+ | tr -d $'\n' \
+ >$out
+ '');
- issuer = leafOf;
- } // optionalAttrs (leafOf == null) {
- certWithCrl = pkgs.writeText "${name}-cert-crl.pem"
- (concatStrings (map readFile [ config.cert config.crl ]));
- };
- }));
-in
-{
+ issuer = leafOf;
+ }
+ // optionalAttrs (leafOf == null) {
+ certWithCrl =
+ pkgs.writeText "${name}-cert-crl.pem"
+ (concatStrings (map readFile [config.cert config.crl]));
+ };
+ }));
+in {
options.local.pki.ca = mkOption {
type = certsType null;
readOnly = true;
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 11:32:23 +0000