From 493c5f69d7d36e6b651bea0c133e675239bccc94 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Sun, 6 Oct 2024 11:27:39 +0100
Subject: [PATCH] add module for certifix-client

---
 modules/tls-certificate/certifix-client.nix | 21 +++++++++++
 modules/tls-certificate/default.nix         | 40 +++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 modules/tls-certificate/certifix-client.nix
 create mode 100644 modules/tls-certificate/default.nix

diff --git a/modules/tls-certificate/certifix-client.nix b/modules/tls-certificate/certifix-client.nix
new file mode 100644
index 0000000..f90af27
--- /dev/null
+++ b/modules/tls-certificate/certifix-client.nix
@@ -0,0 +1,21 @@
+{ liminix, certifix-client, svc, lib, writeText, serviceFns }:
+{
+  caCertificate,
+  secret,
+  subject,
+  serviceUrl
+}:
+let
+  inherit (builtins) filter isString split;
+  inherit (liminix.services) oneshot;
+  name = "certifix-${lib.strings.sanitizeDerivationName subject}";
+  caCertFile = writeText "ca.crt" caCertificate;
+  secretFile = writeText "secret" secret;
+in oneshot {
+  inherit name;
+  up = ''
+    (in_outputs ${name}
+     SSL_CA_CERT_FILE=${caCertFile} ${certifix-client}/bin/certifix-client --subject ${subject} --secret ${secretFile} --key-out key --certificate-out cert ${serviceUrl}
+    )
+  '';
+}
diff --git a/modules/tls-certificate/default.nix b/modules/tls-certificate/default.nix
new file mode 100644
index 0000000..e69cdbe
--- /dev/null
+++ b/modules/tls-certificate/default.nix
@@ -0,0 +1,40 @@
+
+{ lib, pkgs, config, ...}:
+let
+  inherit (lib) mkOption types;
+  inherit (pkgs) liminix;
+in
+{
+  options = {
+    system.service.tls-certificate = {
+      certifix-client =  mkOption {
+        type = liminix.lib.types.serviceDefn;
+      };
+    };
+  };
+  config.system.service.tls-certificate.certifix-client =
+    config.system.callService ./certifix-client.nix {
+      # this is probably read from files on the build machine,
+      # but are not named with ...File suffix because they are
+      # not files on the device (they get embedded into the store)
+      caCertificate = mkOption {
+        description = "CA certificate in PEM format. This must be the same CA as that which signed the certificate of the Certifix server";
+        type = types.str;
+      };
+      secret = mkOption {
+        description = "The shared secret to embed in signing request. This must match the secret configured in the Certifix service, otherwise it will refuse to sign the CSR.";
+        type = types.str;
+      };
+      subject = mkOption {
+        description = "Subject of the certificate request, as an X509 DN. The CN ('Common Name') you provide here is also used as the value of the SubjectAlternativeName extension.";
+        type = types.str;
+        example = "C=GB,ST=London,O=Liminix,OU=IT,CN=myhostname";
+      };
+      serviceUrl = mkOption {
+        description = "Certifix server endpoint URL";
+        type = types.str;
+        example = "https://certifix.lan:19613/sign";
+      };
+    };
+
+}