Add expression for generating linkerd trust anchors

2020-11-12 10:06:54 +01:00
parent 9e79911b1d
commit 55aaad91be
2 changed files with 37 additions and 20 deletions
--- a/modules/initca.nix
+++ b/modules/initca.nix
@@ -1,28 +1,29 @@
-{ pkgs ? import <nixpkgs> {}, ca ? "", name ? "ca", ...}:
+{ pkgs ? import <nixpkgs> {}, ca ? null, name ? "ca", hosts ? [], ...}:
 with pkgs;
 let
+  ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON {
+      inherit hosts;
+      CN = "${name}";
+      key = {
+          algo = "rsa";
+          size = 2048;
+      };
+      names = [
+        {
+          CN = "${name}";
+          O = "NixOS";
+          OU = "${name}.pki.caSpec";
+          L = "generated";
+        }
+      ];
+    }
+  );
  ca' =
-    let
-      ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON {
-          key = {
-              algo = "rsa";
-              size = 2048;
-          };
-          names = [
-            {
-              CN = "${name}";
-              O = "NixOS";
-              OU = "${name}.pki.caSpec";
-              L = "generated";
-            }
-          ];
-        });
-    in
      pkgs.runCommand "initca" {
        buildInputs = [ pkgs.cfssl ];
-      } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \
-           mkdir -p $out; cp *.pem $out'';
-   initca = if ca != "" then ca else ca';
+      } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca;
+           mkdir -p $out; cp *.pem $out '';
+   initca = if ca != null then ca else ca';
 in
  # make ca derivation sha depend on initca cfssl output
  pkgs.stdenv.mkDerivation {