platform/base/pki.nix

with import <nixpkgs> {};
let
  ca-config = pkgs.writeText "ca-config.json" ''
  {
      "signing": {
          "default": {
              "expiry": "43800h"
          },
          "profiles": {
              "server": {
                  "expiry": "43800h",
                  "usages": [
                      "signing",
                      "key encipherment",
                      "server auth"
                  ]
              },
              "client": {
                  "expiry": "43800h",
                  "usages": [
                      "signing",
                      "key encipherment",
                      "client auth"
                  ]
              }
          }
      }
  }
  '';

  csr = args: pkgs.writeText "${args.cn}-cert.json" ''
    {
    "CN": "${args.cn}",
    "hosts": [ ${args.hosts} ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "NO",
            "L": "Tromsø",
            "O": "Serit IT Partner Tromsø AS",
            "OU": "",
            "ST": ""
        }
    ]
    }
  '';

  ca-csr = csr  { cn = "kubernetes"; hosts = ""; };
  ca = pkgs.runCommand "ca-cert" {
      buildInputs = [ pkgs.cfssl ];
    } '' cfssl genkey -initca ${ca-csr} | cfssljson -bare ca; \
         mkdir -p $out; cp *.pem $out'';

  ca_cert = "${ca}/ca.pem";
  ca_key = "${ca}/ca-key.pem";

  cfssl = name: profile: ''
    cfssl gencert -ca ${ca_cert} -ca-key ${ca_key} \
    -config=${ca-config} -profile=${profile} ${name} | cfssljson -bare cert; \
    mkdir -p $out; cp *.pem $out
  '';
in
  rec {
    inherit ca_cert;
    inherit ca_key;
    inherit csr;

    mkCert = cert:
    pkgs.runCommand "${cert.name}-cert" {
      buildInputs = [ pkgs.cfssl ];
    } (cfssl cert.csr cert.profile);

  # server-cert = mkCert {
  #     name = "kubernetes";
  #     csr = csr {
  #       cn = "kubernetes";
  #       hosts = ''"kubernetes", "k8s0-0", "etcd0", "localhost", "10.253.18.100"'';
  #     };
  #     profile = "server";
  # };

  # etcd0-cert = mkCert {
  #   name = "etcd0";
  #   csr = csr {
  #     cn = "etcd0";
  #     hosts = ''"etcd0", "k8s0-0", "localhost", "10.253.18.100"'';
  #   };
  #   profile = "peer";
  # };

  # etcd1-cert = mkCert {
  #   name = "etcd1";
  #   csr = csr {
  #     cn = "etcd1";
  #     hosts = ''"etcd1", "k8s0-1", "localhost", "10.253.18.101"'';
  #   };
  #   profile = "peer";
  # };

  # client-cert = mkCert {
  #   name = "client";
  #   csr = csr {
  #     cn = "client";
  #     hosts = '''';
  #   };
  #   profile = "client";
  # };

  # server_key = "${server-cert}/cert-key.pem";
  # server_cert = "${server-cert}/cert.pem";

  # etcd0_key = "${etcd0-cert}/cert-key.pem";
  # etcd0_cert = "${etcd0-cert}/cert.pem";

  # etcd1_key = "${etcd1-cert}/cert-key.pem";
  # etcd1_cert = "${etcd1-cert}/cert.pem";

  # client_key = "${client-cert}/cert-key.pem";
  # client_cert = "${client-cert}/cert.pem";

  }