From bd30588eac90b498457c7e0b5687a33e7585425a Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sun, 28 Jul 2024 13:23:37 -0600
Subject: pki: rename from sys/pki, import in home

---
 pki/ca.nix | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 pki/ca.nix

(limited to 'pki/ca.nix')

diff --git a/pki/ca.nix b/pki/ca.nix
new file mode 100644
index 0000000..70640be
--- /dev/null
+++ b/pki/ca.nix
@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.local.pki.ca;
+
+  inherit (pkgs.buildPackages) openssl;
+
+  certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: {
+    options = {
+      cert = mkOption {
+        type = path;
+        readOnly = true;
+      };
+
+      fingerprint.sha256 = mkOption {
+        type = str;
+        readOnly = true;
+      };
+
+      fullchain = mkOption {
+        type = path;
+        readOnly = true;
+      };
+
+      issuer = mkOption {
+        type = nullOr str;
+        readOnly = true;
+      };
+
+      path = mkOption {
+        type = str;
+        readOnly = true;
+      };
+    } // optionalAttrs (leafOf != null) {
+      commonName = mkOption {
+        type = str;
+        readOnly = true;
+      };
+    } // optionalAttrs (leafOf == null) {
+      crl = mkOption {
+        type = path;
+        readOnly = true;
+      };
+
+      certWithCrl = mkOption {
+        type = path;
+        readOnly = true;
+      };
+
+      leaves = mkOption {
+        type = certsType name;
+        readOnly = true;
+      };
+    };
+
+    config = {
+      fingerprint.sha256 = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
+        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -sha256 -fingerprint \
+          | sed 's/^.*=//' \
+          | tr -d $'\n' \
+          >$out
+      '');
+
+      fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
+        (concatStrings (map readFile
+          (singleton (if leafOf != null then config.cert else config.certWithCrl)
+            ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
+
+      path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name;
+    } // optionalAttrs (leafOf != null) {
+      commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
+        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -subject -nameopt multiline \
+          | grep commonName \
+          | sed 's/^.*=\s*//' \
+          | tr -d $'\n' \
+          >$out
+      '');
+
+      issuer = leafOf;
+    } // optionalAttrs (leafOf == null) {
+      certWithCrl = pkgs.writeText "${name}-cert-crl.pem"
+        (concatStrings (map readFile [ config.cert config.crl ]));
+    };
+  }));
+in
+{
+  options.local.pki.ca = mkOption {
+    type = certsType null;
+    readOnly = true;
+  };
+}
-- 
cgit v1.2.3