From: Scott Worley Date: Thu, 25 Sep 2025 21:55:32 +0000 (-0700) Subject: Basic functionality X-Git-Url: http://git.scottworley.com/nixos-make-certs/commitdiff_plain/dad9797b611fc18b5fff3fdaa3fffe0cc012d467?ds=sidebyside Basic functionality --- dad9797b611fc18b5fff3fdaa3fffe0cc012d467 diff --git a/modules/make-certs.nix b/modules/make-certs.nix new file mode 100644 index 0000000..812c5a0 --- /dev/null +++ b/modules/make-certs.nix @@ -0,0 +1,53 @@ +{ lib, config, pkgs, ... }: +let + inherit (lib) escapeShellArg; + mkActvationScript = name: cert-cfg: + let + pem-path = "${cert-cfg.dir}/${name}.pem"; + key-path = "${cert-cfg.dir}/${name}.key"; + in { + name = "make-cert-${name}"; + value = '' + if [[ ! -e ${escapeShellArg pem-path} ]];then + ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg cert-cfg.dir} + ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa:4096 \ + -keyout ${escapeShellArg key-path} \ + -out ${escapeShellArg pem-path} \ + -days ${escapeShellArg cert-cfg.lifetime} \ + -noenc + ${pkgs.coreutils}/bin/chown ${escapeShellArg cert-cfg.user} ${ + escapeShellArg key-path + } + fi + ''; + }; +in { + options = { + chkno.make-certs = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options = { + dir = lib.mkOption { + type = lib.types.str; + description = "Where to put the certificate and key."; + default = "/secrets"; + }; + lifetime = lib.mkOption { + type = lib.types.str; + description = "Lifetime of the generated certificate (in days)."; + # This doesn't yet include any notion of certificate rotation, + # so just make really long-lived certificates for now. + default = "99999"; + }; + user = lib.mkOption { + type = lib.types.str; + description = "The username that owns (can read) the secret key."; + }; + }; + }); + }; + }; + config = { + system.activationScripts = + lib.mapAttrs' mkActvationScript config.chkno.make-certs; + }; +}