git.scottworley.com Git - nixos-make-certs/blob - modules/make-certs.nix

   1 { lib, config, pkgs, ... }:
   2 let
   3   inherit (lib) escapeShellArg stringAfter;
   4   mkActvationScript = name: cert-cfg:
   5     let
   6       pem-path = "${cert-cfg.dir}/${name}.pem";
   7       key-path = "${cert-cfg.dir}/${name}.key";
   8     in {
   9       name = "make-cert-${name}";
  10       value = stringAfter [ "users" ] (''
  11         if [[ ! -e ${escapeShellArg pem-path} ]];then
  12           ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg cert-cfg.dir}
  13           ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa:4096 \
  14             -keyout ${escapeShellArg key-path} \
  15             -out ${escapeShellArg pem-path} \
  16             -days ${escapeShellArg cert-cfg.lifetime} \
  17             -noenc
  18           ${pkgs.coreutils}/bin/chown ${escapeShellArg cert-cfg.user} ${
  19             escapeShellArg key-path
  20           }
  21         fi
  22       '' + lib.optionalString cert-cfg.print ''
  23         echo Public certificate for ${escapeShellArg name}: >&2
  24         ${pkgs.coreutils}/bin/cat ${escapeShellArg pem-path} >&2
  25       '');
  26     };
  27 in {
  28   options = {
  29     chkno.make-certs = lib.mkOption {
  30       description = "Certificates to generate.";
  31       example = {
  32         send-email.user = "stunnel";
  33         send-print.user = "stunnel";
  34       };
  35       type = lib.types.attrsOf (lib.types.submodule {
  36         options = {
  37           dir = lib.mkOption {
  38             type = lib.types.str;
  39             description = "Where to put the certificate and key.";
  40             default = "/secrets";
  41           };
  42           lifetime = lib.mkOption {
  43             type = lib.types.str;
  44             description = "Lifetime of the generated certificate (in days).";
  45             # This doesn't yet include any notion of certificate rotation,
  46             # so just make really long-lived certificates for now.
  47             default = "99999";
  48           };
  49           print = lib.mkOption {
  50             type = lib.types.bool;
  51             description = "If set, print the certificate (public key) during activation.";
  52             default = false;
  53           };
  54           user = lib.mkOption {
  55             type = lib.types.str;
  56             description = "The username that owns (can read) the secret key.";
  57           };
  58         };
  59       });
  60     };
  61   };
  62   config = {
  63     system.activationScripts =
  64       lib.mapAttrs' mkActvationScript config.chkno.make-certs;
  65   };
  66 }