raboof/liminix
1
0
Fork 0
forked from dan/liminix
Code Pull Requests Activity

add module for certifix-client

Browse Source
This commit is contained in:
Daniel Barlow 2024-10-06 11:27:39 +01:00
parent 1a915e91ff
commit 493c5f69d7
2 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
modules/tls-certificate/certifix-client.nix Normal file
View File

@ -0,0 +1,21 @@
{ liminix, certifix-client, svc, lib, writeText, serviceFns }:
{
caCertificate,
secret,
subject,
serviceUrl
}:
let
inherit (builtins) filter isString split;
inherit (liminix.services) oneshot;
name = "certifix-${lib.strings.sanitizeDerivationName subject}";
caCertFile = writeText "ca.crt" caCertificate;
secretFile = writeText "secret" secret;
in oneshot {
inherit name;
up = ''
(in_outputs ${name}
SSL_CA_CERT_FILE=${caCertFile} ${certifix-client}/bin/certifix-client --subject ${subject} --secret ${secretFile} --key-out key --certificate-out cert ${serviceUrl}
)
'';
}

40
modules/tls-certificate/default.nix Normal file
View File

@ -0,0 +1,40 @@
{ lib, pkgs, config, ...}:
let
inherit (lib) mkOption types;
inherit (pkgs) liminix;
in
{
options = {
system.service.tls-certificate = {
certifix-client = mkOption {
type = liminix.lib.types.serviceDefn;
};
};
};
config.system.service.tls-certificate.certifix-client =
config.system.callService ./certifix-client.nix {
# this is probably read from files on the build machine,
# but are not named with ...File suffix because they are
# not files on the device (they get embedded into the store)
caCertificate = mkOption {
description = "CA certificate in PEM format. This must be the same CA as that which signed the certificate of the Certifix server";
type = types.str;
};
secret = mkOption {
description = "The shared secret to embed in signing request. This must match the secret configured in the Certifix service, otherwise it will refuse to sign the CSR.";
type = types.str;
};
subject = mkOption {
description = "Subject of the certificate request, as an X509 DN. The CN ('Common Name') you provide here is also used as the value of the SubjectAlternativeName extension.";
type = types.str;
example = "C=GB,ST=London,O=Liminix,OU=IT,CN=myhostname";
};
serviceUrl = mkOption {
description = "Certifix server endpoint URL";
type = types.str;
example = "https://certifix.lan:19613/sign";
};
};
}