diff --git a/modules/initca.nix b/modules/initca.nix index 8fd4e21..2bfd9a6 100644 --- a/modules/initca.nix +++ b/modules/initca.nix @@ -1,28 +1,29 @@ -{ pkgs ? import {}, ca ? "", name ? "ca", ...}: +{ pkgs ? import {}, ca ? null, name ? "ca", hosts ? [], ...}: with pkgs; let + ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON { + inherit hosts; + CN = "${name}"; + key = { + algo = "rsa"; + size = 2048; + }; + names = [ + { + CN = "${name}"; + O = "NixOS"; + OU = "${name}.pki.caSpec"; + L = "generated"; + } + ]; + } + ); ca' = - let - ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON { - key = { - algo = "rsa"; - size = 2048; - }; - names = [ - { - CN = "${name}"; - O = "NixOS"; - OU = "${name}.pki.caSpec"; - L = "generated"; - } - ]; - }); - in pkgs.runCommand "initca" { buildInputs = [ pkgs.cfssl ]; - } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \ - mkdir -p $out; cp *.pem $out''; - initca = if ca != "" then ca else ca'; + } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; + mkdir -p $out; cp *.pem $out ''; + initca = if ca != null then ca else ca'; in # make ca derivation sha depend on initca cfssl output pkgs.stdenv.mkDerivation { diff --git a/modules/linkerd-certs.nix b/modules/linkerd-certs.nix new file mode 100644 index 0000000..aed1e80 --- /dev/null +++ b/modules/linkerd-certs.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +let + identity = import ./initca.nix { + inherit pkgs; + name = "linkerd-identity-ca"; + hosts = [ "identity.linkerd.cluster.local" ]; + }; + + webhook = import ./initca.nix { + inherit pkgs; + name = "linkerd-webhook-ca"; + hosts = [ "webhook.linkerd.cluster.local" ]; + }; +in { + inherit identity webhook; +}