From be8082a927520a11e9e237fe74581fc12339b830 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Tue, 11 Jul 2017 11:38:10 +0200 Subject: [PATCH] Generate certificates from nix. --- base/pki.nix | 127 +++++++++++++++++++++++++++++++++++++++++++++++++++ pki/pki.nix | 11 ----- 2 files changed, 127 insertions(+), 11 deletions(-) create mode 100644 base/pki.nix delete mode 100644 pki/pki.nix diff --git a/base/pki.nix b/base/pki.nix new file mode 100644 index 0000000..f72a694 --- /dev/null +++ b/base/pki.nix @@ -0,0 +1,127 @@ +# {pkgs, ...}: +with import {}; +let + ca-config = pkgs.writeText "ca-config.json" '' + { + "signing": { + "default": { + "expiry": "43800h" + }, + "profiles": { + "server": { + "expiry": "43800h", + "usages": [ + "signing", + "key encipherment", + "server auth" + ] + }, + "client": { + "expiry": "43800h", + "usages": [ + "signing", + "key encipherment", + "client auth" + ] + }, + "peer": { + "expiry": "43800h", + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ] + } + } + } + } + ''; + csr = args: pkgs.writeText "${args.cn}-cert.json" '' + { + "CN": "${args.cn}", + "hosts": [ ${args.hosts} ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "NO", + "L": "Tromsø", + "O": "Serit IT Partner Tromsø AS", + "OU": "", + "ST": "" + } + ] + } + ''; + + ca-csr = csr { cn = "kubernetes"; hosts = ""; }; + ca = pkgs.runCommand "ca-cert" { + buildInputs = [ pkgs.cfssl ]; + } '' cfssl genkey -initca ${ca-csr} | cfssljson -bare ca; \ + mkdir -p $out; cp *.pem $out''; + ca_cert = "${ca}/ca.pem"; + ca_key = "${ca}/ca-key.pem"; + + cfssl = name: profile: '' + cfssl gencert -ca ${ca_cert} -ca-key ${ca_key} \ + -config=${ca-config} -profile=${profile} ${name} | cfssljson -bare cert; \ + mkdir -p $out; cp *.pem $out + ''; + mkCert = cert: + pkgs.runCommand "${cert.name}-cert" { + buildInputs = [ pkgs.cfssl ]; + } (cfssl cert.csr cert.profile); + + server-csr = csr { + cn = "kubernetes"; + hosts = ''"kubernetes", "k8s0-0", "10.253.18.100"''; + }; + server_cert = "${ca}/cert.pem"; + server_key = "${ca}/cert-key.pem"; + + etcd0-csr = csr { + cn = "etcd0"; + hosts = ''"etcd0", "10.253.18.100"''; + }; + etcd0_cert = "${ca}/cert.pem"; + etcd0_key = "${ca}/cert-key.pem"; + + etcd1-csr = csr { + cn = "etcd1"; + hosts = ''"etcd1", "10.253.18.101"''; + }; + etcd1_cert = "${ca}/cert.pem"; + etcd1_key = "${ca}/cert-key.pem"; + + client-csr = csr { + cn = "client"; + hosts = ''''; + }; + client_cert = "${ca}/cert.pem"; + client_key = "${ca}/cert-key.pem"; +in +rec { + server-cert = mkCert { + name = "kubernetes"; + csr = server-csr; + profile = "server"; + }; + etcd0-cert = mkCert { + name = "etcd0"; + csr = etcd0-csr; + profile = "peer"; + }; + etcd1-cert = mkCert { + name = "etcd1"; + csr = etcd1-csr; + profile = "peer"; + }; + client-cert = mkCert { + name = "client"; + csr = client-csr; + profile = "client"; + }; +} diff --git a/pki/pki.nix b/pki/pki.nix deleted file mode 100644 index 0e0fdb7..0000000 --- a/pki/pki.nix +++ /dev/null @@ -1,11 +0,0 @@ -{pkgs, ...}: -let - makeCert = name: - pkgs.runCommand name { - buildInputs = [ pkgs.cfssl ]; - } ''cfssl gencert -ca ca.pem -ca-key ca-key.pem ${name}.json \ - | cfssljson -bare ${name}''; -in -{ - ca_key -}