platform/modules/initca.nix

{
  pkgs ? import <nixpkgs> {},
  ca ? null,
  name ? "ca",
  algo ? "rsa",
  hosts ? [],
  ...}:
with pkgs;
let
  ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON {
      inherit hosts;
      CN = "${name}";
      key = {
        inherit algo;
        size = if algo == "ecdsa" then 256 else 2048;
      };
      names = [
        {
          CN = "${name}";
          O = "NixOS";
          OU = "${name}.pki.caSpec";
          L = "generated";
        }
      ];
    }
  );
  ca' =
      pkgs.runCommand "initca" {
        buildInputs = [ pkgs.cfssl ];
      } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca;
           mkdir -p $out; cp *.pem $out '';
   initca = if ca != null then ca else ca';
in
  # make ca derivation sha depend on initca cfssl output
  pkgs.stdenv.mkDerivation {
    inherit name;
    src = initca;
    buildCommand = ''
      mkdir -p $out;
      cp -r $src/* $out
    '';
  }