diff options
Diffstat (limited to 'pki')
| -rw-r--r-- | pki/by-path.nix | 18 | ||||
| -rw-r--r-- | pki/ca.nix | 129 | ||||
| -rw-r--r-- | pki/certs.nix | 1 | ||||
| -rw-r--r-- | pki/default.nix | 7 | ||||
| -rw-r--r-- | pki/public/README.md | 1 |
5 files changed, 156 insertions, 0 deletions
diff --git a/pki/by-path.nix b/pki/by-path.nix new file mode 100644 index 0000000..ebc46ef --- /dev/null +++ b/pki/by-path.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + ... +}: +with lib; { + options.local.pki.byPath = mkOption { + type = with lib.types; attrsOf unspecified; + readOnly = true; + }; + + config.local.pki.byPath = let + caWithLeaves = ca: + singleton {"${ca.path}" = ca;} + ++ map (leaf: {"${leaf.path}" = leaf;}) (attrValues ca.leaves); + in + mergeAttrsList (flatten (map caWithLeaves (attrValues config.local.pki.ca))); +} diff --git a/pki/ca.nix b/pki/ca.nix new file mode 100644 index 0000000..c33bce4 --- /dev/null +++ b/pki/ca.nix @@ -0,0 +1,129 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.pki.ca; + + openssl = getExe pkgs.buildPackages.openssl; + + certsType = leafOf: + with lib.types; + attrsOf (submodule ({ + config, + name, + ... + }: { + options = + { + cert = mkOption { + type = path; + readOnly = true; + }; + + fingerprint = { + sha1-lower = mkOption { + type = str; + readOnly = true; + }; + + sha256-bytes-upper = mkOption { + type = str; + readOnly = true; + }; + }; + + fullchain = mkOption { + type = path; + readOnly = true; + }; + + issuer = mkOption { + type = nullOr str; + readOnly = true; + }; + + path = mkOption { + type = str; + readOnly = true; + }; + } + // optionalAttrs (leafOf != null) { + commonName = mkOption { + type = str; + readOnly = true; + }; + } + // optionalAttrs (leafOf == null) { + crl = mkOption { + type = path; + readOnly = true; + }; + + certWithCrl = mkOption { + type = path; + readOnly = true; + }; + + leaves = mkOption { + type = certsType name; + readOnly = true; + }; + }; + + config = + { + fingerprint = { + sha1-lower = readFile (pkgs.runCommandLocal "cert-${config.path}-fprint-sha1-lower" {} '' + ${openssl} x509 -in ${config.cert} -noout -sha1 -fingerprint \ + | sed 's/^.*=//' \ + | tr -d $':\n' \ + | tr '[A-Z]' '[a-z]' \ + >>$out + ''); + + sha256-bytes-upper = readFile (pkgs.runCommandLocal "cert-${config.path}-fprint-sha256-bytes-upper" {} '' + ${openssl} x509 -in ${config.cert} -noout -sha256 -fingerprint \ + | sed 's/^.*=//' \ + | tr -d $'\n' \ + >>$out + ''); + }; + + fullchain = + pkgs.writeText "${name}-fullchain-crl.pem" + (concatStrings (map readFile + (singleton ( + if leafOf != null + then config.cert + else config.certWithCrl + ) + ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain))); + + path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name; + } + // optionalAttrs (leafOf != null) { + commonName = readFile (pkgs.runCommandLocal "cert-${config.path}-common-name" {} '' + ${openssl} x509 -in ${config.cert} -noout -subject -nameopt multiline \ + | grep commonName \ + | sed 's/^.*=\s*//' \ + | tr -d $'\n' \ + >$out + ''); + + issuer = leafOf; + } + // optionalAttrs (leafOf == null) { + certWithCrl = + pkgs.writeText "${name}-cert-crl.pem" + (concatStrings (map readFile [config.cert config.crl])); + }; + })); +in { + options.local.pki.ca = mkOption { + type = certsType null; + readOnly = true; + }; +} diff --git a/pki/certs.nix b/pki/certs.nix new file mode 100644 index 0000000..1bb3788 --- /dev/null +++ b/pki/certs.nix @@ -0,0 +1 @@ +# This file has been lustrated. diff --git a/pki/default.nix b/pki/default.nix new file mode 100644 index 0000000..30519af --- /dev/null +++ b/pki/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./ca.nix + ./certs.nix + ./by-path.nix + ]; +} diff --git a/pki/public/README.md b/pki/public/README.md new file mode 100644 index 0000000..37073ba --- /dev/null +++ b/pki/public/README.md @@ -0,0 +1 @@ +# This directory has been lustrated. |