git.scottworley.com Git - nixos-make-certs/blob - modules/make-certs.nix

   1 { lib, config, pkgs, ... }:
   2 let
   3   inherit (lib) escapeShellArg stringAfter;
   4   mkActvationScript = name: cert-cfg:
   5     let
   6       pem-path = "${cert-cfg.dir}/${name}.pem";
   7       key-path = "${cert-cfg.dir}/${name}.key";
   8     in {
   9       name = "make-cert-${name}";
  10       value = stringAfter [ "users" ] (''
  11         if [[ ! -e ${escapeShellArg pem-path} ]];then
  12           ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg cert-cfg.dir}
  13           ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa:4096 \
  14             -keyout ${escapeShellArg key-path} \
  15             -out ${escapeShellArg pem-path} \
  16             -days ${escapeShellArg cert-cfg.lifetime} \
  17             -noenc
  18           ${pkgs.coreutils}/bin/chown ${escapeShellArg cert-cfg.user} ${
  19             escapeShellArg key-path
  20           }
  21         fi
  22       '' + lib.optionalString cert-cfg.print ''
  23         echo Public certificate for ${escapeShellArg name}: >&2
  24         ${pkgs.coreutils}/bin/cat ${escapeShellArg pem-path} >&2
  25       '');
  26     };
  27 in {
  28   options = {
  29     chkno.make-certs = lib.mkOption {
  30       type = lib.types.attrsOf (lib.types.submodule {
  31         options = {
  32           dir = lib.mkOption {
  33             type = lib.types.str;
  34             description = "Where to put the certificate and key.";
  35             default = "/secrets";
  36           };
  37           lifetime = lib.mkOption {
  38             type = lib.types.str;
  39             description = "Lifetime of the generated certificate (in days).";
  40             # This doesn't yet include any notion of certificate rotation,
  41             # so just make really long-lived certificates for now.
  42             default = "99999";
  43           };
  44           print = lib.mkOption {
  45             type = lib.types.bool;
  46             description = "If set, print the certificate (public key) during activation.";
  47             default = false;
  48           };
  49           user = lib.mkOption {
  50             type = lib.types.str;
  51             description = "The username that owns (can read) the secret key.";
  52           };
  53         };
  54       });
  55     };
  56   };
  57   config = {
  58     system.activationScripts =
  59       lib.mapAttrs' mkActvationScript config.chkno.make-certs;
  60   };
  61 }