From 181200e62d929df7e632e581547a01c71eeefc2a Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sat, 20 Jul 2024 16:41:14 -0600
Subject: sys/pki: build fullchains from cert+crl+issuer

---
 sys/pki/ca.nix | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 sys/pki/ca.nix

(limited to 'sys/pki/ca.nix')

diff --git a/sys/pki/ca.nix b/sys/pki/ca.nix
new file mode 100644
index 0000000..4e8f841
--- /dev/null
+++ b/sys/pki/ca.nix
@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.local.pki.ca;
+in
+{
+  options.local.pki.ca = mkOption {
+    readOnly = true;
+
+    type = with lib.types; attrsOf (submodule ({ config, name, ... }: {
+      options = {
+        cert = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        crl = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        fullchain = mkOption {
+          type = path;
+          readOnly = true;
+        };
+
+        issuer = mkOption {
+          type = nullOr str;
+          readOnly = true;
+        };
+      };
+
+      config.fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
+        (concatStrings (map readFile
+          ([ config.cert config.crl ] ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
+    }));
+  };
+
+  config.local.pki.ca = {
+    mail = {
+      crl = ./public/mail-crl.pem;
+      cert = ./public/mail-ca.pem;
+      issuer = "root";
+    };
+
+    root = {
+      crl = ./public/root-crl.pem;
+      cert = ./public/root-ca.pem;
+      issuer = null;
+    };
+  };
+}
-- 
cgit v1.2.3