sys/pki/ca.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local.pki.ca;

  inherit (pkgs.buildPackages) openssl;

  certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: {
    options = {
      cert = mkOption {
        type = path;
        readOnly = true;
      };

      fingerprint.sha256 = mkOption {
        type = str;
        readOnly = true;
      };

      fullchain = mkOption {
        type = path;
        readOnly = true;
      };

      issuer = mkOption {
        type = nullOr str;
        readOnly = true;
      };

      path = mkOption {
        type = str;
        readOnly = true;
      };
    } // optionalAttrs (leafOf != null) {
      commonName = mkOption {
        type = str;
        readOnly = true;
      };
    } // optionalAttrs (leafOf == null) {
      crl = mkOption {
        type = path;
        readOnly = true;
      };

      certWithCrl = mkOption {
        type = path;
        readOnly = true;
      };

      leaves = mkOption {
        type = certsType name;
        readOnly = true;
      };
    };

    config = {
      fingerprint.sha256 = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -sha256 -fingerprint \
          | sed 's/^.*=//' \
          | tr -d $'\n' \
          >$out
      '');

      fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
        (concatStrings (map readFile
          (singleton (if leafOf != null then config.cert else config.certWithCrl)
            ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));

      path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name;
    } // optionalAttrs (leafOf != null) {
      commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256" { } ''
        ${openssl}/bin/openssl x509 -in ${config.cert} -noout -subject -nameopt multiline \
          | grep commonName \
          | sed 's/^.*=\s*//' \
          | tr -d $'\n' \
          >$out
      '');

      issuer = leafOf;
    } // optionalAttrs (leafOf == null) {
      certWithCrl = pkgs.writeText "${name}-cert-crl.pem"
        (concatStrings (map readFile [ config.cert config.crl ]));
    };
  }));
in
{
  options.local.pki.ca = mkOption {
    type = certsType null;
    readOnly = true;
  };
}