{ pkgs ? import <nixpkgs> {} }:
let
  ca-config = pkgs.writeText "ca-config.json" ''
  {
      "signing": {
          "default": {
              "expiry": "8760h"
          },
          "profiles": {
              "kubernetes": {
                  "usages": [
                      "signing",
                      "key encipherment",
                      "server auth",
                      "client auth"
                  ],
                  "expiry": "8760h"
              }
          }
      }
  }
  '';

  csr = o: {
    key = {
      algo = "rsa";
      size = 2048;
    };
    names = [
      {
        CN = "kubernetes-cluster-ca";
        O = "${o}";
        OU = "services.kubernetes.pki.caSpec";
        L = "generated";
      }
    ];
  };

  gencsr = args: pkgs.writeText "${args.name}-csr.json" (builtins.toJSON {
      CN = "${args.cn}";
      hosts = [ "${args.hosts}" ];
    } // csr args.o
  );

  initca' =
    let
      ca_csr = pkgs.writeText "kube-pki-cacert-csr.json" (
        builtins.toJSON (csr "NixOS")
      );
    in
      pkgs.runCommand "initca" {
        buildInputs = [ pkgs.cfssl ];
      } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \
           mkdir -p $out; cp *.pem $out'';

  # make ca derivation sha depend on initca cfssl output
  initca = pkgs.stdenv.mkDerivation {
    name = "ca";
    src = initca';
    buildCommand = ''
      mkdir -p $out;
      cp -r $src/* $out
    '';
  };

  ca = {
    key = "${initca}/ca-key.pem";
    cert = "${initca}/ca.pem";
  };

  cfssl = conf: ''
    cfssl gencert -ca ${ca.cert} -ca-key ${ca.key} \
    -config=${ca-config} -profile=kubernetes ${conf.csr} | \
    cfssljson -bare cert; \
    mkdir -p $out; cp *.pem $out
  '';

  gencert = conf:
    let crt =
      pkgs.runCommand "${conf.name}" {
        buildInputs = [ pkgs.cfssl ];
      } (cfssl conf);
    in
    {
      key = "${crt}/cert-key.pem";
      cert = "${crt}/cert.pem";
    };

  trust = name: hosts:
    let
      hosts' = "\"${name}\", " + hosts;
    in gencert rec {
      inherit name;
      csr = gencsr {
        inherit name;
        hosts = hosts';
        cn = name;
        o = name;
      };
    };
in
{
    inherit ca;

    admin = gencert rec {
        name = "admin";
        csr = gencsr {
          inherit name;
          cn = "admin";
          o = "system:masters";
          hosts = "";
        };
    };

    apiserver = hosts:
      gencert rec {
        name = "kubernetes";
        csr = gencsr {
          inherit name hosts;
          cn = "kubernetes";
          o = "kubernetes";
        };
    };

    etcd = hosts: gencert rec {
      name = "etcd";
      csr = gencsr {
        inherit name hosts;
        cn = "etcd";
        o = "kubernetes";
      };
    };

    kube-proxy = gencert rec {
      name = "kube-proxy";
      csr = gencsr {
        inherit name;
        cn = "system:kube-proxy";
        o = "system:node-proxier";
        hosts = "";
      };
    };

    worker = instance:
      gencert rec {
        name = instance.name;
        csr = gencsr {
          inherit name;
          cn = "system:node:${instance.name}";
          o = "system:nodes";
          hosts = ''"${instance.name}","${instance.ip}"'';
        };
    };
}