87 lines
2.0 KiB
Nix
87 lines
2.0 KiB
Nix
{ pkgs, lib, config, ... } :
|
|
with lib;
|
|
let
|
|
cfg = config.features.certs;
|
|
|
|
configuration = {
|
|
|
|
services.cfssl = rec {
|
|
enable = true;
|
|
caBundle = cfg.caBundle;
|
|
ca = "${caBundle}/ca.pem";
|
|
caKey = "${caBundle}/ca-key.pem";
|
|
};
|
|
|
|
services.certmgr.enable = true;
|
|
services.certmgr.specs =
|
|
with builtins;
|
|
let
|
|
certs = cfg.certs;
|
|
secret = name: "/var/lib/secrets/${name}.pem";
|
|
genCert = x: {
|
|
"${x.name}" = {
|
|
service = "nginx";
|
|
action = "nop";
|
|
authority = {
|
|
profile = "default";
|
|
remote = "http://localhost:8888";
|
|
root_ca = "/var/lib/secrets/ca.pem";
|
|
file.path = "/var/lib/secrets/ca.pem";
|
|
};
|
|
certificate = {
|
|
path = secret x.name;
|
|
};
|
|
private_key = {
|
|
owner = x.owner;
|
|
group = x.group;
|
|
mode = "0600";
|
|
path = secret "${x.name}-key";
|
|
};
|
|
request = {
|
|
CN = x.name;
|
|
hosts = [
|
|
x.name
|
|
] ++ x.SANs;
|
|
key = {
|
|
algo = "rsa";
|
|
size = 2048;
|
|
};
|
|
names = [{
|
|
L = "generated";
|
|
O = "NixOS";
|
|
OU = "services.pki.caSpec";
|
|
}];
|
|
};
|
|
};
|
|
};
|
|
in foldl' (a: x: a // genCert x) {} certs;
|
|
};
|
|
in
|
|
{
|
|
options.features.certs = {
|
|
enable = mkEnableOption "Enable local certificate generation";
|
|
|
|
caBundle = mkOption {
|
|
type = types.path;
|
|
default = null;
|
|
};
|
|
|
|
certs = mkOption {
|
|
type = types.listOf types.attrs;
|
|
default = [];
|
|
description = ''
|
|
[{
|
|
name="example";
|
|
SANs = [ "www.example.com" "10.0.0.1" ];
|
|
owner = "nginx";
|
|
group = "nginx";
|
|
}]
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable (mkMerge [ configuration ]);
|
|
}
|
|
|
|
|