From bd30588eac90b498457c7e0b5687a33e7585425a Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sun, 28 Jul 2024 13:23:37 -0600
Subject: pki: rename from sys/pki, import in home

---
 home/default.nix         |  1 +
 pki/by-path.nix          | 15 ++++++++
 pki/ca.nix               | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
 pki/certs.nix            |  1 +
 pki/default.nix          |  7 ++++
 pki/public/README.md     |  1 +
 sys/default.nix          |  2 +-
 sys/pki/by-path.nix      | 15 --------
 sys/pki/ca.nix           | 90 ------------------------------------------------
 sys/pki/certs.nix        | 31 -----------------
 sys/pki/default.nix      |  7 ----
 sys/pki/public/README.md |  1 -
 12 files changed, 116 insertions(+), 145 deletions(-)
 create mode 100644 pki/by-path.nix
 create mode 100644 pki/ca.nix
 create mode 100644 pki/certs.nix
 create mode 100644 pki/default.nix
 create mode 100644 pki/public/README.md
 delete mode 100644 sys/pki/by-path.nix
 delete mode 100644 sys/pki/ca.nix
 delete mode 100644 sys/pki/certs.nix
 delete mode 100644 sys/pki/default.nix
 delete mode 100644 sys/pki/public/README.md

diff --git a/home/default.nix b/home/default.nix
index 9656e89..96d6b3f 100644
--- a/home/default.nix
+++ b/home/default.nix
@@ -1,6 +1,7 @@
 { lib, config, pkgs, ... }:
 with lib; {
   imports = [
+    ../pki
     ./desktop.nix
     ./environ.nix
     ./git.nix
diff --git a/pki/by-path.nix b/pki/by-path.nix
new file mode 100644
index 0000000..baca142
--- /dev/null
+++ b/pki/by-path.nix
@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+with lib; {
+  options.local.pki.byPath = mkOption {
+    type = with lib.types; attrsOf unspecified;
+    readOnly = true;
+  };
+
+  config.local.pki.byPath =
+    let
+      caWithLeaves = ca:
+        singleton { "${ca.path}" = ca; }
+        ++ map (leaf: { "${leaf.path}" = leaf; }) (attrValues ca.leaves);
+    in
+    mergeAttrsList (flatten (map caWithLeaves (attrValues config.local.pki.ca)));
+}
diff --git a/pki/ca.nix b/pki/ca.nix
new file mode 100644
index 0000000..70640be
--- /dev/null
+++ b/pki/ca.nix
@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.local.pki.ca;
+
+  inherit (pkgs.buildPackages) openssl;
+
+  certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: {
+    options = {
+      cert = mkOption {
+        type = path;
+        readOnly = true;
+      };
+
+      fingerprint.sha256 = mkOption {
+        type = str;
+        readOnly = true;
+      };
+
+      fullchain = mkOption {
+        type = path;
+        readOnly = true;
+      };
+
+      issuer = mkOption {
+        type = nullOr str;
+        readOnly = true;
+      };
+
+      path = mkOption {
+        type = str;
+        readOnly = true;
+      };
+    } // optionalAttrs (leafOf != null) {
+      commonName = mkOption {
+        type = str;
+        readOnly = true;
+      };
+    } // optionalAttrs (leafOf == null) {
+      crl = mkOption {
+        type = path;
+        readOnly = true;
+      };
+
+      certWithCrl = mkOption {
+        type = path;
+        readOnly = true;
+      };
+
+      leaves = mkOption {
+        type = certsType name;
+        readOnly = true;
+      };
+    };
+
+    config = {
+      fingerprint.sha256 = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
+        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -sha256 -fingerprint \
+          | sed 's/^.*=//' \
+          | tr -d $'\n' \
+          >$out
+      '');
+
+      fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
+        (concatStrings (map readFile
+          (singleton (if leafOf != null then config.cert else config.certWithCrl)
+            ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
+
+      path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name;
+    } // optionalAttrs (leafOf != null) {
+      commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
+        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -subject -nameopt multiline \
+          | grep commonName \
+          | sed 's/^.*=\s*//' \
+          | tr -d $'\n' \
+          >$out
+      '');
+
+      issuer = leafOf;
+    } // optionalAttrs (leafOf == null) {
+      certWithCrl = pkgs.writeText "${name}-cert-crl.pem"
+        (concatStrings (map readFile [ config.cert config.crl ]));
+    };
+  }));
+in
+{
+  options.local.pki.ca = mkOption {
+    type = certsType null;
+    readOnly = true;
+  };
+}
diff --git a/pki/certs.nix b/pki/certs.nix
new file mode 100644
index 0000000..1bb3788
--- /dev/null
+++ b/pki/certs.nix
@@ -0,0 +1 @@
+# This file has been lustrated.
diff --git a/pki/default.nix b/pki/default.nix
new file mode 100644
index 0000000..30519af
--- /dev/null
+++ b/pki/default.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./ca.nix
+    ./certs.nix
+    ./by-path.nix
+  ];
+}
diff --git a/pki/public/README.md b/pki/public/README.md
new file mode 100644
index 0000000..37073ba
--- /dev/null
+++ b/pki/public/README.md
@@ -0,0 +1 @@
+# This directory has been lustrated.
diff --git a/sys/default.nix b/sys/default.nix
index 7e06bb4..59a8743 100644
--- a/sys/default.nix
+++ b/sys/default.nix
@@ -6,6 +6,7 @@ with lib; {
     flakes.lanzaboote.nixosModules.lanzaboote
     flakes.impermanence.nixosModule
     flakes.home-manager.nixosModules.home-manager
+    ../pki
     ./auth
     ./baseline
     ./boot
@@ -19,7 +20,6 @@ with lib; {
     ./mta
     ./net
     ./nspawn
-    ./pki
     ./preset
     ./seat
     ./virt
diff --git a/sys/pki/by-path.nix b/sys/pki/by-path.nix
deleted file mode 100644
index baca142..0000000
--- a/sys/pki/by-path.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ config, lib, ... }:
-with lib; {
-  options.local.pki.byPath = mkOption {
-    type = with lib.types; attrsOf unspecified;
-    readOnly = true;
-  };
-
-  config.local.pki.byPath =
-    let
-      caWithLeaves = ca:
-        singleton { "${ca.path}" = ca; }
-        ++ map (leaf: { "${leaf.path}" = leaf; }) (attrValues ca.leaves);
-    in
-    mergeAttrsList (flatten (map caWithLeaves (attrValues config.local.pki.ca)));
-}
diff --git a/sys/pki/ca.nix b/sys/pki/ca.nix
deleted file mode 100644
index 70640be..0000000
--- a/sys/pki/ca.nix
+++ /dev/null
@@ -1,90 +0,0 @@
-{ config, lib, pkgs, ... }:
-with lib; let
-  cfg = config.local.pki.ca;
-
-  inherit (pkgs.buildPackages) openssl;
-
-  certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: {
-    options = {
-      cert = mkOption {
-        type = path;
-        readOnly = true;
-      };
-
-      fingerprint.sha256 = mkOption {
-        type = str;
-        readOnly = true;
-      };
-
-      fullchain = mkOption {
-        type = path;
-        readOnly = true;
-      };
-
-      issuer = mkOption {
-        type = nullOr str;
-        readOnly = true;
-      };
-
-      path = mkOption {
-        type = str;
-        readOnly = true;
-      };
-    } // optionalAttrs (leafOf != null) {
-      commonName = mkOption {
-        type = str;
-        readOnly = true;
-      };
-    } // optionalAttrs (leafOf == null) {
-      crl = mkOption {
-        type = path;
-        readOnly = true;
-      };
-
-      certWithCrl = mkOption {
-        type = path;
-        readOnly = true;
-      };
-
-      leaves = mkOption {
-        type = certsType name;
-        readOnly = true;
-      };
-    };
-
-    config = {
-      fingerprint.sha256 = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
-        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -sha256 -fingerprint \
-          | sed 's/^.*=//' \
-          | tr -d $'\n' \
-          >$out
-      '');
-
-      fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
-        (concatStrings (map readFile
-          (singleton (if leafOf != null then config.cert else config.certWithCrl)
-            ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
-
-      path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name;
-    } // optionalAttrs (leafOf != null) {
-      commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
-        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -subject -nameopt multiline \
-          | grep commonName \
-          | sed 's/^.*=\s*//' \
-          | tr -d $'\n' \
-          >$out
-      '');
-
-      issuer = leafOf;
-    } // optionalAttrs (leafOf == null) {
-      certWithCrl = pkgs.writeText "${name}-cert-crl.pem"
-        (concatStrings (map readFile [ config.cert config.crl ]));
-    };
-  }));
-in
-{
-  options.local.pki.ca = mkOption {
-    type = certsType null;
-    readOnly = true;
-  };
-}
diff --git a/sys/pki/certs.nix b/sys/pki/certs.nix
deleted file mode 100644
index c191fc5..0000000
--- a/sys/pki/certs.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-{
-  config.local.pki.ca = {
-    home = {
-      crl = ./public/home-crl.pem;
-      cert = ./public/home-ca.pem;
-      issuer = "root";
-
-      leaves = {
-        user-firefox.cert = ./public/home-user-firefox.pem;
-      };
-    };
-
-    mail = {
-      crl = ./public/mail-crl.pem;
-      cert = ./public/mail-ca.pem;
-      issuer = "root";
-
-      leaves = {
-        kiev.cert = ./public/mail-kiev.pem;
-        larsa.cert = ./public/mail-larsa.pem;
-      };
-    };
-
-    root = {
-      crl = ./public/root-crl.pem;
-      cert = ./public/root-ca.pem;
-      issuer = null;
-      leaves = { };
-    };
-  };
-}
diff --git a/sys/pki/default.nix b/sys/pki/default.nix
deleted file mode 100644
index 30519af..0000000
--- a/sys/pki/default.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  imports = [
-    ./ca.nix
-    ./certs.nix
-    ./by-path.nix
-  ];
-}
diff --git a/sys/pki/public/README.md b/sys/pki/public/README.md
deleted file mode 100644
index 37073ba..0000000
--- a/sys/pki/public/README.md
+++ /dev/null
@@ -1 +0,0 @@
-# This directory has been lustrated.
-- 
cgit v1.2.3