summaryrefslogtreecommitdiff
path: root/sys/jobs/pki-expiry/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'sys/jobs/pki-expiry/default.nix')
-rw-r--r--sys/jobs/pki-expiry/default.nix59
1 files changed, 59 insertions, 0 deletions
diff --git a/sys/jobs/pki-expiry/default.nix b/sys/jobs/pki-expiry/default.nix
new file mode 100644
index 0000000..b61d6f5
--- /dev/null
+++ b/sys/jobs/pki-expiry/default.nix
@@ -0,0 +1,59 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+ cfg = config.local.jobs.pkiExpiry;
+ inherit (config.local) pki;
+in
+{
+ options.local.jobs.pkiExpiry = {
+ enable = mkEnableOption "PKI expiration reminder";
+ };
+
+ config = mkIf cfg.enable {
+ systemd = {
+ services.pki-expiry = {
+ after = [ "postfix.service" ];
+ path = [ "/run/wrappers" ];
+
+ environment.PKI_PUBLIC =
+ let
+ mkdir = "mkdir -p $out/{ca,cert,crl}";
+
+ cas = mapAttrsToList (_: ca: "ln -s ${ca.cert} $out/ca/${ca.path}") pki.ca;
+ crls = mapAttrsToList (_: ca: "ln -s ${ca.crl} $out/crl/${ca.path}") pki.ca;
+
+ certs = mapAttrsToList
+ (path: leaf: "ln -s ${leaf.cert} $out/cert/${path}")
+ (filterAttrs (_: object: ! object ? leaves) pki.byPath);
+
+ pkiPublic = pkgs.runCommandNoCCLocal "pki-public" { } (concatLines ([ mkdir ] ++ cas ++ crls ++ certs));
+ in
+ "${pkiPublic}";
+
+ serviceConfig = {
+ Type = "oneshot";
+ StateDirectory = "pki-expiry";
+ WorkingDirectory = "/var/lib/pki-expiry";
+
+ ExecStart =
+ let
+ script = pkgs.writeShellApplication {
+ name = "pki-expiry";
+ text = readFile ./pki-expiry.sh;
+ runtimeInputs = with pkgs; [ diffutils openssl ];
+ };
+ in
+ "${getExe script}";
+ };
+ };
+
+ timers.pki-expiry = {
+ wantedBy = [ "timers.target" ];
+
+ timerConfig = {
+ OnStartupSec = "10m";
+ OnUnitInactiveSec = "3d";
+ };
+ };
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-11 21:39:55 +0000