Basic functionality

diff --git a/modules/make-certs.nix b/modules/make-certs.nix
new file mode 100644 (file)
index 0000000..812c5a0
--- /dev/null
+++ b/modules/make-certs.nix
@@ -0,0 +1,53 @@
+{ lib, config, pkgs, ... }:
+let
+  inherit (lib) escapeShellArg;
+  mkActvationScript = name: cert-cfg:
+    let
+      pem-path = "${cert-cfg.dir}/${name}.pem";
+      key-path = "${cert-cfg.dir}/${name}.key";
+    in {
+      name = "make-cert-${name}";
+      value = ''
+        if [[ ! -e ${escapeShellArg pem-path} ]];then
+          ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg cert-cfg.dir}
+          ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa:4096 \
+            -keyout ${escapeShellArg key-path} \
+            -out ${escapeShellArg pem-path} \
+            -days ${escapeShellArg cert-cfg.lifetime} \
+            -noenc
+          ${pkgs.coreutils}/bin/chown ${escapeShellArg cert-cfg.user} ${
+            escapeShellArg key-path
+          }
+        fi
+      '';
+    };
+in {
+  options = {
+    chkno.make-certs = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          dir = lib.mkOption {
+            type = lib.types.str;
+            description = "Where to put the certificate and key.";
+            default = "/secrets";
+          };
+          lifetime = lib.mkOption {
+            type = lib.types.str;
+            description = "Lifetime of the generated certificate (in days).";
+            # This doesn't yet include any notion of certificate rotation,
+            # so just make really long-lived certificates for now.
+            default = "99999";
+          };
+          user = lib.mkOption {
+            type = lib.types.str;
+            description = "The username that owns (can read) the secret key.";
+          };
+        };
+      });
+    };
+  };
+  config = {
+    system.activationScripts =
+      lib.mapAttrs' mkActvationScript config.chkno.make-certs;
+  };
+}