with import <nixpkgs> {};
let
  initca' =
    let
      ca_csr = pkgs.writeText "kube-pki-cacert-csr.json" (builtins.toJSON {
          key = {
              algo = "rsa";
              size = 2048;
          };
          names = [
            {
              CN = "kubernetes-cluster-ca";
              O = "NixOS";
              OU = "services.kubernetes.pki.caSpec";
              L = "generated";
            }
          ];
        });
    in
      pkgs.runCommand "initca" {
        buildInputs = [ pkgs.cfssl ];
      } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \
           mkdir -p $out; cp *.pem $out'';
in
  # make ca derivation sha depend on initca cfssl output
  pkgs.stdenv.mkDerivation {
    name = "ca";
    src = initca';
    buildCommand = ''
      mkdir -p $out;
      cp -r $src/* $out
    '';
  }