nix packages for repo scripts, automatic SAN for self-signed cert, and ed25519

2026-04-13 09:39:29 +02:00 · 2026-04-13 09:39:29 +02:00 · c23d734e09
commit c23d734e09
parent 635372c80e
7 changed files with 96 additions and 73 deletions
--- a/packages/gen-tls-cert.nix
+++ b/packages/gen-tls-cert.nix
@ -0,0 +1,57 @@
+# Generates a self-signed CA and a server TLS cert covering all `.lan` domains
+# defined in var/default.nix.
+{
+  pkgs,
+  agenix-pkg,
+  san,
+}:
+pkgs.writeShellApplication {
+  name = "gen-tls-cert";
+  runtimeInputs = [
+    pkgs.openssl
+    agenix-pkg
+  ];
+  text = ''
+    # ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
+    tmp=$(mktemp -d)
+    trap 'rm -rf -- "$tmp"' EXIT
+
+    openssl req -x509 -nodes \
+        -newkey ed25519 \
+        -keyout "$tmp/ca.key" \
+        -days 365 \
+        -out "$tmp/ca.cert" \
+        -subj '/CN=hd_root'
+
+    rm secrets/tlskey.age
+    openssl req -nodes \
+        -newkey ed25519 \
+        -keyout - \
+        -out "$tmp/server.csr" \
+        -subj '/CN=lan' \
+        | agenix -e secrets/tlskey.age
+
+    # SAN list is derived from var/default.nix (lan-dns.hosts).
+    san="${san}"
+    echo "SAN: $san"
+
+    cat > "$tmp/extfile" << EOF
+    subjectAltName=$san
+    authorityKeyIdentifier=keyid,issuer
+    basicConstraints=CA:FALSE
+    keyUsage=digitalSignature,keyEncipherment
+    extendedKeyUsage=serverAuth
+    EOF
+
+    openssl x509 -req \
+        -CA "$tmp/ca.cert" \
+        -CAkey "$tmp/ca.key" \
+        -in "$tmp/server.csr" \
+        -out pki/server.cert \
+        -days 365 \
+        -CAcreateserial \
+        -extfile "$tmp/extfile"
+
+    mv "$tmp/ca.cert" pki/ca.cert
+  '';
+}