Basic functionality

[nixos-make-certs] / modules / make-certs.nix

{ lib, config, pkgs, ... }:
let
  inherit (lib) escapeShellArg;
  mkActvationScript = name: cert-cfg:
    let
      pem-path = "${cert-cfg.dir}/${name}.pem";
      key-path = "${cert-cfg.dir}/${name}.key";
    in {
      name = "make-cert-${name}";
      value = ''
        if [[ ! -e ${escapeShellArg pem-path} ]];then
          ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg cert-cfg.dir}
          ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa:4096 \
            -keyout ${escapeShellArg key-path} \
            -out ${escapeShellArg pem-path} \
            -days ${escapeShellArg cert-cfg.lifetime} \
            -noenc
          ${pkgs.coreutils}/bin/chown ${escapeShellArg cert-cfg.user} ${
            escapeShellArg key-path
          }
        fi
      '';
    };
in {
  options = {
    chkno.make-certs = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options = {
          dir = lib.mkOption {
            type = lib.types.str;
            description = "Where to put the certificate and key.";
            default = "/secrets";
          };
          lifetime = lib.mkOption {
            type = lib.types.str;
            description = "Lifetime of the generated certificate (in days).";
            # This doesn't yet include any notion of certificate rotation,
            # so just make really long-lived certificates for now.
            default = "99999";
          };
          user = lib.mkOption {
            type = lib.types.str;
            description = "The username that owns (can read) the secret key.";
          };
        };
      });
    };
  };
  config = {
    system.activationScripts =
      lib.mapAttrs' mkActvationScript config.chkno.make-certs;
  };
}