nix packages for repo scripts, automatic SAN for self-signed cert, and ed25519
This commit is contained in:
parent
635372c80e
commit
c23d734e09
GPG key ID:
CECE85C316C78D5F
7 changed files with 96 additions and 73 deletions
|
|
@ -1,7 +1,15 @@
|
|||
{ inputs, system }:
|
||||
let
|
||||
pkgs = inputs.nixpkgs.legacyPackages.${system};
|
||||
inherit (inputs.nixpkgs) lib;
|
||||
var = import ../var { inherit lib; };
|
||||
|
||||
agenix-pkg = inputs.agenix.packages.${system}.default;
|
||||
|
||||
san = builtins.concatStringsSep "," (map (d: "DNS:" + d) (builtins.attrNames var.lan-dns.hosts));
|
||||
in
|
||||
{
|
||||
supernote-tool = pkgs.callPackage ./supernote-tool.nix { };
|
||||
gen-tls-cert = pkgs.callPackage ./gen-tls-cert.nix { inherit agenix-pkg san; };
|
||||
gen-syncthing-cert = pkgs.callPackage ./gen-syncthing-cert.nix { inherit agenix-pkg; };
|
||||
}
|
||||
|
|
|
|||
14
packages/gen-syncthing-cert.nix
Normal file
14
packages/gen-syncthing-cert.nix
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
# Generates Syncthing TLS certs for managed hosts that don't have one.
|
||||
{
|
||||
pkgs,
|
||||
agenix-pkg,
|
||||
}:
|
||||
pkgs.writeShellApplication {
|
||||
name = "gen-syncthing-cert";
|
||||
runtimeInputs = [
|
||||
pkgs.jq
|
||||
pkgs.syncthing
|
||||
agenix-pkg
|
||||
];
|
||||
text = builtins.readFile ../bin/gen-syncthing-cert;
|
||||
}
|
||||
57
packages/gen-tls-cert.nix
Normal file
57
packages/gen-tls-cert.nix
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
# Generates a self-signed CA and a server TLS cert covering all `.lan` domains
|
||||
# defined in var/default.nix.
|
||||
{
|
||||
pkgs,
|
||||
agenix-pkg,
|
||||
san,
|
||||
}:
|
||||
pkgs.writeShellApplication {
|
||||
name = "gen-tls-cert";
|
||||
runtimeInputs = [
|
||||
pkgs.openssl
|
||||
agenix-pkg
|
||||
];
|
||||
text = ''
|
||||
# ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
|
||||
tmp=$(mktemp -d)
|
||||
trap 'rm -rf -- "$tmp"' EXIT
|
||||
|
||||
openssl req -x509 -nodes \
|
||||
-newkey ed25519 \
|
||||
-keyout "$tmp/ca.key" \
|
||||
-days 365 \
|
||||
-out "$tmp/ca.cert" \
|
||||
-subj '/CN=hd_root'
|
||||
|
||||
rm secrets/tlskey.age
|
||||
openssl req -nodes \
|
||||
-newkey ed25519 \
|
||||
-keyout - \
|
||||
-out "$tmp/server.csr" \
|
||||
-subj '/CN=lan' \
|
||||
| agenix -e secrets/tlskey.age
|
||||
|
||||
# SAN list is derived from var/default.nix (lan-dns.hosts).
|
||||
san="${san}"
|
||||
echo "SAN: $san"
|
||||
|
||||
cat > "$tmp/extfile" << EOF
|
||||
subjectAltName=$san
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
basicConstraints=CA:FALSE
|
||||
keyUsage=digitalSignature,keyEncipherment
|
||||
extendedKeyUsage=serverAuth
|
||||
EOF
|
||||
|
||||
openssl x509 -req \
|
||||
-CA "$tmp/ca.cert" \
|
||||
-CAkey "$tmp/ca.key" \
|
||||
-in "$tmp/server.csr" \
|
||||
-out pki/server.cert \
|
||||
-days 365 \
|
||||
-CAcreateserial \
|
||||
-extfile "$tmp/extfile"
|
||||
|
||||
mv "$tmp/ca.cert" pki/ca.cert
|
||||
'';
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue