{ config, lib, pkgs, ... }: with lib; let cfg = config.local.pki.ca; inherit (pkgs.buildPackages) openssl; certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: { options = { cert = mkOption { type = path; readOnly = true; }; fingerprint.sha256 = mkOption { type = str; readOnly = true; }; fullchain = mkOption { type = path; readOnly = true; }; issuer = mkOption { type = nullOr str; readOnly = true; }; path = mkOption { type = str; readOnly = true; }; } // optionalAttrs (leafOf != null) { commonName = mkOption { type = str; readOnly = true; }; } // optionalAttrs (leafOf == null) { crl = mkOption { type = path; readOnly = true; }; certWithCrl = mkOption { type = path; readOnly = true; }; leaves = mkOption { type = certsType name; readOnly = true; }; }; config = { fingerprint.sha256 = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } '' ${openssl}/bin/openssl x509 -in ${config.cert} -noout -sha256 -fingerprint \ | sed 's/^.*=//' \ | tr -d $'\n' \ >$out ''); fullchain = pkgs.writeText "${name}-fullchain-crl.pem" (concatStrings (map readFile (singleton (if leafOf != null then config.cert else config.certWithCrl) ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain))); path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name; } // optionalAttrs (leafOf != null) { commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } '' ${openssl}/bin/openssl x509 -in ${config.cert} -noout -subject -nameopt multiline \ | grep commonName \ | sed 's/^.*=\s*//' \ | tr -d $'\n' \ >$out ''); issuer = leafOf; } // optionalAttrs (leafOf == null) { certWithCrl = pkgs.writeText "${name}-cert-crl.pem" (concatStrings (map readFile [ config.cert config.crl ])); }; })); in { options.local.pki.ca = mkOption { type = certsType null; readOnly = true; }; }