Daniel Barlow
7e2b0068e6
There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging
46 lines
1.5 KiB
Nix
46 lines
1.5 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib) mkOption types;
|
|
inherit (pkgs) liminix;
|
|
in
|
|
{
|
|
options = {
|
|
system.service.tls-certificate = {
|
|
certifix-client = mkOption {
|
|
type = liminix.lib.types.serviceDefn;
|
|
};
|
|
};
|
|
};
|
|
config.system.service.tls-certificate.certifix-client =
|
|
config.system.callService ./certifix-client.nix
|
|
{
|
|
# this is probably read from files on the build machine,
|
|
# but are not named with ...File suffix because they are
|
|
# not files on the device (they get embedded into the store)
|
|
caCertificate = mkOption {
|
|
description = "CA certificate in PEM format. This must be the same CA as that which signed the certificate of the Certifix server";
|
|
type = types.str;
|
|
};
|
|
secret = mkOption {
|
|
description = "The shared secret to embed in signing request. This must match the secret configured in the Certifix service, otherwise it will refuse to sign the CSR.";
|
|
type = types.str;
|
|
};
|
|
subject = mkOption {
|
|
description = "Subject of the certificate request, as an X509 DN. The CN ('Common Name') you provide here is also used as the value of the SubjectAlternativeName extension.";
|
|
type = types.str;
|
|
example = "C=GB,ST=London,O=Liminix,OU=IT,CN=myhostname";
|
|
};
|
|
serviceUrl = mkOption {
|
|
description = "Certifix server endpoint URL";
|
|
type = types.str;
|
|
example = "https://certifix.lan:19613/sign";
|
|
};
|
|
};
|
|
|
|
}
|