diff options
Diffstat (limited to 'sys/pki')
| -rw-r--r-- | sys/pki/by-path.nix | 15 | ||||
| -rw-r--r-- | sys/pki/ca.nix | 90 | ||||
| -rw-r--r-- | sys/pki/certs.nix | 31 | ||||
| -rw-r--r-- | sys/pki/default.nix | 7 | ||||
| -rw-r--r-- | sys/pki/public/README.md | 1 |
5 files changed, 0 insertions, 144 deletions
diff --git a/sys/pki/by-path.nix b/sys/pki/by-path.nix deleted file mode 100644 index baca142..0000000 --- a/sys/pki/by-path.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, ... }: -with lib; { - options.local.pki.byPath = mkOption { - type = with lib.types; attrsOf unspecified; - readOnly = true; - }; - - config.local.pki.byPath = - let - caWithLeaves = ca: - singleton { "${ca.path}" = ca; } - ++ map (leaf: { "${leaf.path}" = leaf; }) (attrValues ca.leaves); - in - mergeAttrsList (flatten (map caWithLeaves (attrValues config.local.pki.ca))); -} diff --git a/sys/pki/ca.nix b/sys/pki/ca.nix deleted file mode 100644 index 70640be..0000000 --- a/sys/pki/ca.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ config, lib, pkgs, ... }: -with lib; let - cfg = config.local.pki.ca; - - inherit (pkgs.buildPackages) openssl; - - certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: { - options = { - cert = mkOption { - type = path; - readOnly = true; - }; - - fingerprint.sha256 = mkOption { - type = str; - readOnly = true; - }; - - fullchain = mkOption { - type = path; - readOnly = true; - }; - - issuer = mkOption { - type = nullOr str; - readOnly = true; - }; - - path = mkOption { - type = str; - readOnly = true; - }; - } // optionalAttrs (leafOf != null) { - commonName = mkOption { - type = str; - readOnly = true; - }; - } // optionalAttrs (leafOf == null) { - crl = mkOption { - type = path; - readOnly = true; - }; - - certWithCrl = mkOption { - type = path; - readOnly = true; - }; - - leaves = mkOption { - type = certsType name; - readOnly = true; - }; - }; - - config = { - fingerprint.sha256 = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } '' - ${openssl}/bin/openssl x509 -in ${config.cert} -noout -sha256 -fingerprint \ - | sed 's/^.*=//' \ - | tr -d $'\n' \ - >$out - ''); - - fullchain = pkgs.writeText "${name}-fullchain-crl.pem" - (concatStrings (map readFile - (singleton (if leafOf != null then config.cert else config.certWithCrl) - ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain))); - - path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name; - } // optionalAttrs (leafOf != null) { - commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } '' - ${openssl}/bin/openssl x509 -in ${config.cert} -noout -subject -nameopt multiline \ - | grep commonName \ - | sed 's/^.*=\s*//' \ - | tr -d $'\n' \ - >$out - ''); - - issuer = leafOf; - } // optionalAttrs (leafOf == null) { - certWithCrl = pkgs.writeText "${name}-cert-crl.pem" - (concatStrings (map readFile [ config.cert config.crl ])); - }; - })); -in -{ - options.local.pki.ca = mkOption { - type = certsType null; - readOnly = true; - }; -} diff --git a/sys/pki/certs.nix b/sys/pki/certs.nix deleted file mode 100644 index c191fc5..0000000 --- a/sys/pki/certs.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - config.local.pki.ca = { - home = { - crl = ./public/home-crl.pem; - cert = ./public/home-ca.pem; - issuer = "root"; - - leaves = { - user-firefox.cert = ./public/home-user-firefox.pem; - }; - }; - - mail = { - crl = ./public/mail-crl.pem; - cert = ./public/mail-ca.pem; - issuer = "root"; - - leaves = { - kiev.cert = ./public/mail-kiev.pem; - larsa.cert = ./public/mail-larsa.pem; - }; - }; - - root = { - crl = ./public/root-crl.pem; - cert = ./public/root-ca.pem; - issuer = null; - leaves = { }; - }; - }; -} diff --git a/sys/pki/default.nix b/sys/pki/default.nix deleted file mode 100644 index 30519af..0000000 --- a/sys/pki/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./ca.nix - ./certs.nix - ./by-path.nix - ]; -} diff --git a/sys/pki/public/README.md b/sys/pki/public/README.md deleted file mode 100644 index 37073ba..0000000 --- a/sys/pki/public/README.md +++ /dev/null @@ -1 +0,0 @@ -# This directory has been lustrated. |