diff options
Diffstat (limited to 'pki')
| -rw-r--r-- | pki/by-path.nix | 15 | ||||
| -rw-r--r-- | pki/ca.nix | 90 | ||||
| -rw-r--r-- | pki/certs.nix | 1 | ||||
| -rw-r--r-- | pki/default.nix | 7 | ||||
| -rw-r--r-- | pki/public/README.md | 1 |
5 files changed, 114 insertions, 0 deletions
diff --git a/pki/by-path.nix b/pki/by-path.nix new file mode 100644 index 0000000..baca142 --- /dev/null +++ b/pki/by-path.nix @@ -0,0 +1,15 @@ +{ config, lib, ... }: +with lib; { + options.local.pki.byPath = mkOption { + type = with lib.types; attrsOf unspecified; + readOnly = true; + }; + + config.local.pki.byPath = + let + caWithLeaves = ca: + singleton { "${ca.path}" = ca; } + ++ map (leaf: { "${leaf.path}" = leaf; }) (attrValues ca.leaves); + in + mergeAttrsList (flatten (map caWithLeaves (attrValues config.local.pki.ca))); +} diff --git a/pki/ca.nix b/pki/ca.nix new file mode 100644 index 0000000..70640be --- /dev/null +++ b/pki/ca.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, ... }: +with lib; let + cfg = config.local.pki.ca; + + inherit (pkgs.buildPackages) openssl; + + certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: { + options = { + cert = mkOption { + type = path; + readOnly = true; + }; + + fingerprint.sha256 = mkOption { + type = str; + readOnly = true; + }; + + fullchain = mkOption { + type = path; + readOnly = true; + }; + + issuer = mkOption { + type = nullOr str; + readOnly = true; + }; + + path = mkOption { + type = str; + readOnly = true; + }; + } // optionalAttrs (leafOf != null) { + commonName = mkOption { + type = str; + readOnly = true; + }; + } // optionalAttrs (leafOf == null) { + crl = mkOption { + type = path; + readOnly = true; + }; + + certWithCrl = mkOption { + type = path; + readOnly = true; + }; + + leaves = mkOption { + type = certsType name; + readOnly = true; + }; + }; + + config = { + fingerprint.sha256 = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } '' + ${openssl}/bin/openssl x509 -in ${config.cert} -noout -sha256 -fingerprint \ + | sed 's/^.*=//' \ + | tr -d $'\n' \ + >$out + ''); + + fullchain = pkgs.writeText "${name}-fullchain-crl.pem" + (concatStrings (map readFile + (singleton (if leafOf != null then config.cert else config.certWithCrl) + ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain))); + + path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name; + } // optionalAttrs (leafOf != null) { + commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } '' + ${openssl}/bin/openssl x509 -in ${config.cert} -noout -subject -nameopt multiline \ + | grep commonName \ + | sed 's/^.*=\s*//' \ + | tr -d $'\n' \ + >$out + ''); + + issuer = leafOf; + } // optionalAttrs (leafOf == null) { + certWithCrl = pkgs.writeText "${name}-cert-crl.pem" + (concatStrings (map readFile [ config.cert config.crl ])); + }; + })); +in +{ + options.local.pki.ca = mkOption { + type = certsType null; + readOnly = true; + }; +} diff --git a/pki/certs.nix b/pki/certs.nix new file mode 100644 index 0000000..1bb3788 --- /dev/null +++ b/pki/certs.nix @@ -0,0 +1 @@ +# This file has been lustrated. diff --git a/pki/default.nix b/pki/default.nix new file mode 100644 index 0000000..30519af --- /dev/null +++ b/pki/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./ca.nix + ./certs.nix + ./by-path.nix + ]; +} diff --git a/pki/public/README.md b/pki/public/README.md new file mode 100644 index 0000000..37073ba --- /dev/null +++ b/pki/public/README.md @@ -0,0 +1 @@ +# This directory has been lustrated. |