Secure certificates after generation

2019-02-23 15:34:28 +01:00
parent cce9aa825b
commit 66d29be22c
19 changed files with 2098 additions and 144 deletions
--- a/lib/pki.nix
+++ b/lib/pki.nix
@@ -36,7 +36,7 @@
    }
  '';

-  initca =
+  initca' =
    let
      ca_csr = gencsr {
        name = "kubernetes";
@@ -51,9 +51,9 @@
           mkdir -p $out; cp *.pem $out'';

   # make ca derivation sha depend on initca cfssl output
-   initca' = pkgs.stdenv.mkDerivation {
+   initca = pkgs.stdenv.mkDerivation {
    name = "ca";
-    src = initca;
+    src = initca';
    buildCommand = ''
      mkdir -p $out;
      cp -r $src/* $out
@@ -61,8 +61,8 @@
  };

  ca = {
-    key = "${initca'}/ca-key.pem";
-    cert = "${initca'}/ca.pem";
+    key = "${initca}/ca-key.pem";
+    cert = "${initca}/ca.pem";
  };

  cfssl = conf: ''
@@ -72,16 +72,16 @@
    mkdir -p $out; cp *.pem $out
  '';

+  toSet = cert:
+    {
+      key = "${cert}/cert-key.pem";
+      cert = "${cert}/cert.pem";
+    };
+
  gencert = conf:
-    let
-      drv = pkgs.runCommand "${conf.name}" {
+      pkgs.runCommand "${conf.name}" {
        buildInputs = [ pkgs.cfssl ];
      } (cfssl conf);
-    in
-      {
-        key = "${drv}/cert-key.pem";
-        cert = "${drv}/cert.pem";
-      };

  admin = gencert rec {
      name = "admin";