1 files changed, 51 insertions, 0 deletions

diff --git a/sys/pki/ca.nix b/sys/pki/ca.nix
new file mode 100644
index 0000000..4e8f841
--- /dev/null
+++ b/sys/pki/ca.nix
@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.local.pki.ca;
+in
+{
+  options.local.pki.ca = mkOption {
+    readOnly = true;
+
+    type = with lib.types; attrsOf (submodule ({ config, name, ... }: {
+      options = {
+        cert = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        crl = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        fullchain = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        issuer = mkOption {
+          type = nullOr str;
+          readOnly = true;
+        };
+      };
+
+      config.fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
+        (concatStrings (map readFile
+          ([ config.cert config.crl ] ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
+    }));
+  };
+
+  config.local.pki.ca = {
+    mail = {
+      crl = ./public/mail-crl.pem;
+      cert = ./public/mail-ca.pem;
+      issuer = "root";
+    };
+
+    root = {
+      crl = ./public/root-crl.pem;
+      cert = ./public/root-ca.pem;
+      issuer = null;
+    };
+  };
+}