hd/cfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nix packages for repo scripts, automatic SAN for self-signed cert, and ed25519

Browse source
This commit is contained in:
Henri Dohmen 2026-04-13 09:39:29 +02:00
parent 635372c80e
commit c23d734e09
Signed by: hd
GPG key ID: CECE85C316C78D5F
7 changed files with 96 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

38
bin/gen-tls-cert
View file

@ -1,38 +0,0 @@
#!/bin/sh
tmp=$(mktemp -d)
trap 'rm -rf -- "$tmp"' EXIT
# ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
openssl req -x509 -nodes \
-newkey RSA:2048 \
-keyout "$tmp/ca.key" \
-days 365 \
-out "$tmp/ca.cert" \
-subj '/CN=hd_root'
rm secrets/tlskey.age
openssl req -nodes \
-newkey rsa:2048 \
-keyout - \
-out "$tmp/server.csr" \
-subj '/CN=lan' \
| agenix -e secrets/tlskey.age
cat > "$tmp/extfile" << EOF
subjectAltName=DNS:roam.lan,DNS:*.roam.lan,DNS:git.lan
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
EOF
openssl x509 -req \
-CA "$tmp/ca.cert" \
-CAkey "$tmp/ca.key" \
-in "$tmp/server.csr" \
-out pki/server.cert \
-days 365 \
-CAcreateserial \
-extfile "$tmp/extfile"
mv "$tmp/ca.cert" pki/ca.cert

8
packages/default.nix
View file

@ -1,7 +1,15 @@
{ inputs, system }: { inputs, system }:
let let
pkgs = inputs.nixpkgs.legacyPackages.${system}; pkgs = inputs.nixpkgs.legacyPackages.${system};
inherit (inputs.nixpkgs) lib;
var = import ../var { inherit lib; };
agenix-pkg = inputs.agenix.packages.${system}.default;
san = builtins.concatStringsSep "," (map (d: "DNS:" + d) (builtins.attrNames var.lan-dns.hosts));
in in
{ {
supernote-tool = pkgs.callPackage ./supernote-tool.nix { }; supernote-tool = pkgs.callPackage ./supernote-tool.nix { };
gen-tls-cert = pkgs.callPackage ./gen-tls-cert.nix { inherit agenix-pkg san; };
gen-syncthing-cert = pkgs.callPackage ./gen-syncthing-cert.nix { inherit agenix-pkg; };
} }

14
packages/gen-syncthing-cert.nix Normal file
View file

@ -0,0 +1,14 @@
# Generates Syncthing TLS certs for managed hosts that don't have one.
{
pkgs,
agenix-pkg,
}:
pkgs.writeShellApplication {
name = "gen-syncthing-cert";
runtimeInputs = [
pkgs.jq
pkgs.syncthing
agenix-pkg
];
text = builtins.readFile ../bin/gen-syncthing-cert;
}

57
packages/gen-tls-cert.nix Normal file
View file

@ -0,0 +1,57 @@
# Generates a self-signed CA and a server TLS cert covering all `.lan` domains
# defined in var/default.nix.
{
pkgs,
agenix-pkg,
san,
}:
pkgs.writeShellApplication {
name = "gen-tls-cert";
runtimeInputs = [
pkgs.openssl
agenix-pkg
];
text = ''
# ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
tmp=$(mktemp -d)
trap 'rm -rf -- "$tmp"' EXIT
openssl req -x509 -nodes \
-newkey ed25519 \
-keyout "$tmp/ca.key" \
-days 365 \
-out "$tmp/ca.cert" \
-subj '/CN=hd_root'
rm secrets/tlskey.age
openssl req -nodes \
-newkey ed25519 \
-keyout - \
-out "$tmp/server.csr" \
-subj '/CN=lan' \
| agenix -e secrets/tlskey.age
# SAN list is derived from var/default.nix (lan-dns.hosts).
san="${san}"
echo "SAN: $san"
cat > "$tmp/extfile" << EOF
subjectAltName=$san
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
EOF
openssl x509 -req \
-CA "$tmp/ca.cert" \
-CAkey "$tmp/ca.key" \
-in "$tmp/server.csr" \
-out pki/server.cert \
-days 365 \
-CAcreateserial \
-extfile "$tmp/extfile"
mv "$tmp/ca.cert" pki/ca.cert
'';
}

24
pki/ca.cert
View file

@ -1,19 +1,9 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIUOp5TCMV734ZH8n7S9qMstDeLUgAwDQYJKoZIhvcNAQEL MIIBODCB66ADAgECAhQ4YPfjqFPYvxNpArFa8DXX/5AGYTAFBgMrZXAwEjEQMA4G
BQAwEjEQMA4GA1UEAwwHaGRfcm9vdDAeFw0yNjAxMzExMjA3MzhaFw0yNzAxMzEx A1UEAwwHaGRfcm9vdDAeFw0yNjA0MTMwNzM4MjlaFw0yNzA0MTMwNzM4MjlaMBIx
MjA3MzhaMBIxEDAOBgNVBAMMB2hkX3Jvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB EDAOBgNVBAMMB2hkX3Jvb3QwKjAFBgMrZXADIQA30s20SD69tXyipehHTavLJE2O
DwAwggEKAoIBAQCry5pMvP7Bm3nypYbD4E1RR5Gyu2CkatkRSRBK39NvfkX7GOLJ oXkLP2IXOn5YUUpq0aNTMFEwHQYDVR0OBBYEFIgaWzsBNlRO30Bh21lazfWI7p95
9bWDRDNUj6bw97ZyhCbw7ySV3KI5XfWfy9HWqJtEca3qGg0AwOxuke4Bhl11mb52 MB8GA1UdIwQYMBaAFIgaWzsBNlRO30Bh21lazfWI7p95MA8GA1UdEwEB/wQFMAMB
RvU3y8qYLw5imvqKoX5iARmf+o6mk9cu0IFOTypRjgVEeTPM+i65qvwPs+estAl9 Af8wBQYDK2VwA0EAKlQ0gkZ94OgOcu9Y/UU2zEjioduIL9A5dfsHAYd0Qp2RZPuE
bW7MrxN07hIzDvDWaXnYkIL+3TOXHq+zldD/5f5L17F3XHGUK2yKXBahcdcL2gdj QjA/82pBPyrz0ZrDFcSOV2Ii13ZyDc6Spev3CA==
eXCb6mXdNmp6dD6CXVSY8EBFjoJyYHAfn13c3f29lIItQU2r8wWt/irNpf5pl7r2
qyrzDB4q4L5QGhKkZhs05rU6YTReLPKAAl2XAgMBAAGjUzBRMB0GA1UdDgQWBBRk
r8YAWbZlBTwJQhL2gAyzEk/dhTAfBgNVHSMEGDAWgBRkr8YAWbZlBTwJQhL2gAyz
Ek/dhTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA1LDP92xo4
iOIvXZ0uVqR95/2QaB0zARvqP6nJ9XtfyyeDj8fF/iPz0/2FO8Svkba/5ZlEpr19
49PQ1ufkCVhJTh1aCkJLjmiyYeBZXFRjbw7Tr3O9f9Pe8Ud01nwHyaLl3GHaacL1
DGjSIpEbkS6zxDxfwhzqXnqKvT37Gcy+hpmMkRX7a3RyYg696azAd+bTjxKpCqmC
iL0YrH4cnQ8sbKklKNxjjRVAjzWQ7BhPcIXABauNgIOvHHDe7NWcAEMMca5Fcmja
tRsMLlfwyBM4YgRi9dq66C+LU+LuzBF5L0WTcwf8mXJDieE53A/4D0fig7+nkJrM
8sWed8nJa0FF
-----END CERTIFICATE----- -----END CERTIFICATE-----

28
pki/server.cert
View file

@ -1,20 +1,12 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIUFoZzGii77TrKqg6r5NgmrqGNb8UwDQYJKoZIhvcNAQEL MIIBsTCCAWOgAwIBAgIUGpf4cVZ+bxPjhAFAyl8jQ1sNQa8wBQYDK2VwMBIxEDAO
BQAwEjEQMA4GA1UEAwwHaGRfcm9vdDAeFw0yNjAxMzExMjA3MzlaFw0yNzAxMzEx BgNVBAMMB2hkX3Jvb3QwHhcNMjYwNDEzMDczODI5WhcNMjcwNDEzMDczODI5WjAO
MjA3MzlaMA4xDDAKBgNVBAMMA2xhbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC MQwwCgYDVQQDDANsYW4wKjAFBgMrZXADIQAhLd5unI9G7uHqr6BsqDCMJLw/N8JF
AQoCggEBAJmkEtAdsqVR8zVVoGgVL351Z5spsDbkjYGqM83XN6Edkx33c64FuoOY xYUpaCdkqkKhg6OBzjCByzBcBgNVHREEVTBTggZjMi5sYW6CBmZ3LmxhboIHZ2l0
MpD/NqoC7eReQGJ3Oz6cjF+Oe35gO1jyJsQmsjCFVyzyihDjtczGAE6SoaS67kaq LmxhboIHcWJ0LmxhboIIcm9hbS5sYW6CB3Jzcy5sYW6CCHNvbG8ubGFughJzeW5j
w2K54myAGo2ESKkzU776gZM0/V44tJuJVWBumxWHmajSgsAdBCGIUKSJJolJvt90 dGhpbmcucm9hbS5sYW4wHwYDVR0jBBgwFoAUiBpbOwE2VE7fQGHbWVrN9Yjun3kw
ghyuoTLS9u1B2wtNvhvWHEwpzCOV3LwWraroDHYXL2tKTMrpqpj6lev/8t9gIPCM CQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYD
/q2oN0ILSPyScpuQHP0/Aky9kPycw3EdiTNPqh2UnI/2pw0LNHa3F3dp/f47kqSd VR0OBBYEFBlYz2gpphVvl3ofllfEX++VXFOqMAUGAytlcANBAJoI695qXQ2fjG3q
DlXLkveKPgJLRIbxCJGdgvoacGMce0MCAwEAAaOBmjCBlzAoBgNVHREEITAfgghy 2iK8FfjBEdvkrp6VK8xV12WjxZi19X5FhbY9FvRj/ZeM8yhUFKH9uBWjkqd8LuX2
b2FtLmxhboIKKi5yb2FtLmxhboIHZ2l0LmxhbjAfBgNVHSMEGDAWgBRkr8YAWbZl iHM7vQ0=
BTwJQhL2gAyzEk/dhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAK
BggrBgEFBQcDATAdBgNVHQ4EFgQUNLp+qukOiO3z/cfjk4fBalMnOswwDQYJKoZI
hvcNAQELBQADggEBAFoDA+AHIdBUtpTa1bVXSy4Y53Kn2OMopA47qxY+sgXS0UGx
2fz7dyhy68AG3V5VnVKpnNAjJdeZdQww3N7KNmjsoI+p5mS+AHucLcMLJaqFaA0t
+jyLepQFdeh2/VkmbIwFQW+T/oBoCP4i4tkmaa/9mKSkbEOAadcucg7viqmRKN/b
DJNMkhiahpCATpxRno8ybUzn907UTKBQOseZMW53ecKkgcPQOF6apsM7+/jXkOrO
D9QeVWCdLLAnpLlubqbuGxPjI0RbLHXwKFayRwKEMj3Gn9njqcZfkVM3QJHc8Pn9
eADOacl+F1jPO2nTTOQ9tZzfyHW4Gd5tpWqpEb8=
-----END CERTIFICATE----- -----END CERTIFICATE-----

BIN
secrets/tlskey.age
View file

Binary file not shown.