kitten.sh / system
Personal Nix setup
fork atom
system / lib / apps / genCerts.nix
at main 1.9 kB view raw
1{ lib, pkgs, ... }: 2 3with lib; 4let 5 cfssl = "${pkgs.cfssl}/bin/cfssl"; 6 cfssljson = "${pkgs.cfssl}/bin/cfssljson"; 7 8 caConf = pkgs.writeText "ca-conf.json" (builtins.toJSON { 9 signing = { 10 profiles = listToAttrs (map ({ name, extra ? [ ] }: 11 nameValuePair name { 12 usages = extra ++ [ "signing" "key encipherment" "server auth" "client auth" ]; 13 expiry = "87600h"; 14 } 15 ) [ 16 { name = "auth-only"; } 17 { name = "auth-and-cert-sign"; extra = [ "cert sign" ]; } 18 ]); 19 }; 20 }); 21 22 mkCSR = name: pkgs.writeText "csr.json" (builtins.toJSON { 23 CN = name; 24 key = { algo = "rsa"; size = 4096; }; 25 hosts = [ ]; 26 }); 27 28 mkGenCertCommand = { name, output, settings }: let 29 csr = mkCSR name; 30 args = attrsets.mapAttrsToList 31 (attr: value: if value == true then "-${attr}" else "-${attr}=${toString value}") 32 settings; 33 in '' 34 if [[ ! -f "${output}${name}.crt" ]]; then 35 mkdir -p "${output}" 36 ${cfssl} gencert ${concatStringsSep " " args} \ 37 ${csr} | ${cfssljson} -bare "${output}/${name}" 38 rm "${output}/${name}.csr" 39 mv "${output}/${name}-key.pem" "${output}/${name}.key" 40 mv "${output}/${name}.pem" "${output}/${name}.crt" 41 fi 42 ''; 43 44 caCertificate = { 45 name = "ca"; 46 output = "modules/base/certs/"; 47 settings.initca = true; 48 }; 49 50 certificates = [ 51 { 52 name = "mqtt"; 53 output = "modules/automation/certs/"; 54 settings = { 55 profile = "auth-only"; 56 config = caConf; 57 ca = with caCertificate; "${output}/${name}.crt"; 58 ca-key = with caCertificate; "${output}/${name}.key"; 59 }; 60 } 61 ]; 62in 63 toString (pkgs.writers.writeBash "genCerts" '' 64 set -e 65 cd "$DIR" 66 ${mkGenCertCommand caCertificate} 67 ${concatStringsSep "\n" (map mkGenCertCommand certificates)} 68 '')