]> git.scottworley.com Git - nixos-make-certs/blob - modules/make-certs.nix
projects / nixos-make-certs / blob
? search:


812c5a05dabe52622d8cc1e1baf42cad722ed01b
[nixos-make-certs] / modules / make-certs.nix
1 { lib, config, pkgs, ... }:
2 let
3 inherit (lib) escapeShellArg;
4 mkActvationScript = name: cert-cfg:
5 let
6 pem-path = "${cert-cfg.dir}/${name}.pem";
7 key-path = "${cert-cfg.dir}/${name}.key";
8 in {
9 name = "make-cert-${name}";
10 value = ''
11 if [[ ! -e ${escapeShellArg pem-path} ]];then
12 ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg cert-cfg.dir}
13 ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa:4096 \
14 -keyout ${escapeShellArg key-path} \
15 -out ${escapeShellArg pem-path} \
16 -days ${escapeShellArg cert-cfg.lifetime} \
17 -noenc
18 ${pkgs.coreutils}/bin/chown ${escapeShellArg cert-cfg.user} ${
19 escapeShellArg key-path
20 }
21 fi
22 '';
23 };
24 in {
25 options = {
26 chkno.make-certs = lib.mkOption {
27 type = lib.types.attrsOf (lib.types.submodule {
28 options = {
29 dir = lib.mkOption {
30 type = lib.types.str;
31 description = "Where to put the certificate and key.";
32 default = "/secrets";
33 };
34 lifetime = lib.mkOption {
35 type = lib.types.str;
36 description = "Lifetime of the generated certificate (in days).";
37 # This doesn't yet include any notion of certificate rotation,
38 # so just make really long-lived certificates for now.
39 default = "99999";
40 };
41 user = lib.mkOption {
42 type = lib.types.str;
43 description = "The username that owns (can read) the secret key.";
44 };
45 };
46 });
47 };
48 };
49 config = {
50 system.activationScripts =
51 lib.mapAttrs' mkActvationScript config.chkno.make-certs;
52 };
53 }
Certificate creation NixOS module