oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
8fa0bb9760e514865dc3d3a04e89b2db4b48c4df
platform/modules/pki.nix
Jonas Juselius 9a6250229d Allow adding extra SANs in pki.nix
2020-11-20 20:01:12 +01:00

83 lines
1.8 KiB
Nix
Raw Blame History

{ pkgs, ca ? "" }:
let
initca = import ./initca.nix { inherit pkgs ca; };
ca' = {
key = "${initca}/ca-key.pem";
cert = "${initca}/ca.pem";
};
ca-config = pkgs.writeText "ca-config.json" ''
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"default": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
'';
gencsr = args:
let
csr = {
CN = "${args.cn}";
key = {
algo = "rsa";
size = 2048;
};
names = [
{
CN = "${args.cn}";
O = "${args.o}";
OU = "${args.cn}.${args.o}.pki.caSpec";
L = "generated";
}
];
hosts = args.hosts;
};
in
pkgs.writeText "${args.cn}-csr.json" (builtins.toJSON csr);
in
# Example usage:
#
# gencert { cn = "test"; ca = ca; o = "test; };
#
rec {
inherit initca;
ca = ca';
gencert = attrs:
let
conf = {
cn = attrs.cn;
ca = attrs.ca;
csr = gencsr { cn = attrs.cn; o = attrs.o; hosts = attrs.hosts; };
};
cfssl = conf:
''
cfssl gencert -ca ${ca.cert} -ca-key ${ca.key} \
-config=${ca-config} -profile=default ${conf.csr} | \
cfssljson -bare cert; \
mkdir -p $out; cp *.pem $out
'';
crt =
pkgs.runCommand "${attrs.cn}" {
buildInputs = [ pkgs.cfssl ];
} (cfssl conf);
in
{
key = "${crt}/cert-key.pem";
cert = "${crt}/cert.pem";
};
}
Reference in New Issue View Git Blame Copy Permalink