nix packages for repo scripts, automatic SAN for self-signed cert, and ed25519
This commit is contained in:
parent
635372c80e
commit
c23d734e09
GPG key ID:
CECE85C316C78D5F
7 changed files with 96 additions and 73 deletions
|
|
@ -1,38 +0,0 @@
|
|||
#!/bin/sh
|
||||
tmp=$(mktemp -d)
|
||||
trap 'rm -rf -- "$tmp"' EXIT
|
||||
|
||||
# ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
|
||||
openssl req -x509 -nodes \
|
||||
-newkey RSA:2048 \
|
||||
-keyout "$tmp/ca.key" \
|
||||
-days 365 \
|
||||
-out "$tmp/ca.cert" \
|
||||
-subj '/CN=hd_root'
|
||||
|
||||
rm secrets/tlskey.age
|
||||
openssl req -nodes \
|
||||
-newkey rsa:2048 \
|
||||
-keyout - \
|
||||
-out "$tmp/server.csr" \
|
||||
-subj '/CN=lan' \
|
||||
| agenix -e secrets/tlskey.age
|
||||
|
||||
cat > "$tmp/extfile" << EOF
|
||||
subjectAltName=DNS:roam.lan,DNS:*.roam.lan,DNS:git.lan
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
basicConstraints=CA:FALSE
|
||||
keyUsage=digitalSignature,keyEncipherment
|
||||
extendedKeyUsage=serverAuth
|
||||
EOF
|
||||
|
||||
openssl x509 -req \
|
||||
-CA "$tmp/ca.cert" \
|
||||
-CAkey "$tmp/ca.key" \
|
||||
-in "$tmp/server.csr" \
|
||||
-out pki/server.cert \
|
||||
-days 365 \
|
||||
-CAcreateserial \
|
||||
-extfile "$tmp/extfile"
|
||||
|
||||
mv "$tmp/ca.cert" pki/ca.cert
|
||||
|
|
@ -1,7 +1,15 @@
|
|||
{ inputs, system }:
|
||||
let
|
||||
pkgs = inputs.nixpkgs.legacyPackages.${system};
|
||||
inherit (inputs.nixpkgs) lib;
|
||||
var = import ../var { inherit lib; };
|
||||
|
||||
agenix-pkg = inputs.agenix.packages.${system}.default;
|
||||
|
||||
san = builtins.concatStringsSep "," (map (d: "DNS:" + d) (builtins.attrNames var.lan-dns.hosts));
|
||||
in
|
||||
{
|
||||
supernote-tool = pkgs.callPackage ./supernote-tool.nix { };
|
||||
gen-tls-cert = pkgs.callPackage ./gen-tls-cert.nix { inherit agenix-pkg san; };
|
||||
gen-syncthing-cert = pkgs.callPackage ./gen-syncthing-cert.nix { inherit agenix-pkg; };
|
||||
}
|
||||
|
|
|
|||
14
packages/gen-syncthing-cert.nix
Normal file
14
packages/gen-syncthing-cert.nix
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
# Generates Syncthing TLS certs for managed hosts that don't have one.
|
||||
{
|
||||
pkgs,
|
||||
agenix-pkg,
|
||||
}:
|
||||
pkgs.writeShellApplication {
|
||||
name = "gen-syncthing-cert";
|
||||
runtimeInputs = [
|
||||
pkgs.jq
|
||||
pkgs.syncthing
|
||||
agenix-pkg
|
||||
];
|
||||
text = builtins.readFile ../bin/gen-syncthing-cert;
|
||||
}
|
||||
57
packages/gen-tls-cert.nix
Normal file
57
packages/gen-tls-cert.nix
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
# Generates a self-signed CA and a server TLS cert covering all `.lan` domains
|
||||
# defined in var/default.nix.
|
||||
{
|
||||
pkgs,
|
||||
agenix-pkg,
|
||||
san,
|
||||
}:
|
||||
pkgs.writeShellApplication {
|
||||
name = "gen-tls-cert";
|
||||
runtimeInputs = [
|
||||
pkgs.openssl
|
||||
agenix-pkg
|
||||
];
|
||||
text = ''
|
||||
# ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
|
||||
tmp=$(mktemp -d)
|
||||
trap 'rm -rf -- "$tmp"' EXIT
|
||||
|
||||
openssl req -x509 -nodes \
|
||||
-newkey ed25519 \
|
||||
-keyout "$tmp/ca.key" \
|
||||
-days 365 \
|
||||
-out "$tmp/ca.cert" \
|
||||
-subj '/CN=hd_root'
|
||||
|
||||
rm secrets/tlskey.age
|
||||
openssl req -nodes \
|
||||
-newkey ed25519 \
|
||||
-keyout - \
|
||||
-out "$tmp/server.csr" \
|
||||
-subj '/CN=lan' \
|
||||
| agenix -e secrets/tlskey.age
|
||||
|
||||
# SAN list is derived from var/default.nix (lan-dns.hosts).
|
||||
san="${san}"
|
||||
echo "SAN: $san"
|
||||
|
||||
cat > "$tmp/extfile" << EOF
|
||||
subjectAltName=$san
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
basicConstraints=CA:FALSE
|
||||
keyUsage=digitalSignature,keyEncipherment
|
||||
extendedKeyUsage=serverAuth
|
||||
EOF
|
||||
|
||||
openssl x509 -req \
|
||||
-CA "$tmp/ca.cert" \
|
||||
-CAkey "$tmp/ca.key" \
|
||||
-in "$tmp/server.csr" \
|
||||
-out pki/server.cert \
|
||||
-days 365 \
|
||||
-CAcreateserial \
|
||||
-extfile "$tmp/extfile"
|
||||
|
||||
mv "$tmp/ca.cert" pki/ca.cert
|
||||
'';
|
||||
}
|
||||
24
pki/ca.cert
24
pki/ca.cert
|
|
@ -1,19 +1,9 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDBTCCAe2gAwIBAgIUOp5TCMV734ZH8n7S9qMstDeLUgAwDQYJKoZIhvcNAQEL
|
||||
BQAwEjEQMA4GA1UEAwwHaGRfcm9vdDAeFw0yNjAxMzExMjA3MzhaFw0yNzAxMzEx
|
||||
MjA3MzhaMBIxEDAOBgNVBAMMB2hkX3Jvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
|
||||
DwAwggEKAoIBAQCry5pMvP7Bm3nypYbD4E1RR5Gyu2CkatkRSRBK39NvfkX7GOLJ
|
||||
9bWDRDNUj6bw97ZyhCbw7ySV3KI5XfWfy9HWqJtEca3qGg0AwOxuke4Bhl11mb52
|
||||
RvU3y8qYLw5imvqKoX5iARmf+o6mk9cu0IFOTypRjgVEeTPM+i65qvwPs+estAl9
|
||||
bW7MrxN07hIzDvDWaXnYkIL+3TOXHq+zldD/5f5L17F3XHGUK2yKXBahcdcL2gdj
|
||||
eXCb6mXdNmp6dD6CXVSY8EBFjoJyYHAfn13c3f29lIItQU2r8wWt/irNpf5pl7r2
|
||||
qyrzDB4q4L5QGhKkZhs05rU6YTReLPKAAl2XAgMBAAGjUzBRMB0GA1UdDgQWBBRk
|
||||
r8YAWbZlBTwJQhL2gAyzEk/dhTAfBgNVHSMEGDAWgBRkr8YAWbZlBTwJQhL2gAyz
|
||||
Ek/dhTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA1LDP92xo4
|
||||
iOIvXZ0uVqR95/2QaB0zARvqP6nJ9XtfyyeDj8fF/iPz0/2FO8Svkba/5ZlEpr19
|
||||
49PQ1ufkCVhJTh1aCkJLjmiyYeBZXFRjbw7Tr3O9f9Pe8Ud01nwHyaLl3GHaacL1
|
||||
DGjSIpEbkS6zxDxfwhzqXnqKvT37Gcy+hpmMkRX7a3RyYg696azAd+bTjxKpCqmC
|
||||
iL0YrH4cnQ8sbKklKNxjjRVAjzWQ7BhPcIXABauNgIOvHHDe7NWcAEMMca5Fcmja
|
||||
tRsMLlfwyBM4YgRi9dq66C+LU+LuzBF5L0WTcwf8mXJDieE53A/4D0fig7+nkJrM
|
||||
8sWed8nJa0FF
|
||||
MIIBODCB66ADAgECAhQ4YPfjqFPYvxNpArFa8DXX/5AGYTAFBgMrZXAwEjEQMA4G
|
||||
A1UEAwwHaGRfcm9vdDAeFw0yNjA0MTMwNzM4MjlaFw0yNzA0MTMwNzM4MjlaMBIx
|
||||
EDAOBgNVBAMMB2hkX3Jvb3QwKjAFBgMrZXADIQA30s20SD69tXyipehHTavLJE2O
|
||||
oXkLP2IXOn5YUUpq0aNTMFEwHQYDVR0OBBYEFIgaWzsBNlRO30Bh21lazfWI7p95
|
||||
MB8GA1UdIwQYMBaAFIgaWzsBNlRO30Bh21lazfWI7p95MA8GA1UdEwEB/wQFMAMB
|
||||
Af8wBQYDK2VwA0EAKlQ0gkZ94OgOcu9Y/UU2zEjioduIL9A5dfsHAYd0Qp2RZPuE
|
||||
QjA/82pBPyrz0ZrDFcSOV2Ii13ZyDc6Spev3CA==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
|
|||
|
|
@ -1,20 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDSTCCAjGgAwIBAgIUFoZzGii77TrKqg6r5NgmrqGNb8UwDQYJKoZIhvcNAQEL
|
||||
BQAwEjEQMA4GA1UEAwwHaGRfcm9vdDAeFw0yNjAxMzExMjA3MzlaFw0yNzAxMzEx
|
||||
MjA3MzlaMA4xDDAKBgNVBAMMA2xhbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
||||
AQoCggEBAJmkEtAdsqVR8zVVoGgVL351Z5spsDbkjYGqM83XN6Edkx33c64FuoOY
|
||||
MpD/NqoC7eReQGJ3Oz6cjF+Oe35gO1jyJsQmsjCFVyzyihDjtczGAE6SoaS67kaq
|
||||
w2K54myAGo2ESKkzU776gZM0/V44tJuJVWBumxWHmajSgsAdBCGIUKSJJolJvt90
|
||||
ghyuoTLS9u1B2wtNvhvWHEwpzCOV3LwWraroDHYXL2tKTMrpqpj6lev/8t9gIPCM
|
||||
/q2oN0ILSPyScpuQHP0/Aky9kPycw3EdiTNPqh2UnI/2pw0LNHa3F3dp/f47kqSd
|
||||
DlXLkveKPgJLRIbxCJGdgvoacGMce0MCAwEAAaOBmjCBlzAoBgNVHREEITAfgghy
|
||||
b2FtLmxhboIKKi5yb2FtLmxhboIHZ2l0LmxhbjAfBgNVHSMEGDAWgBRkr8YAWbZl
|
||||
BTwJQhL2gAyzEk/dhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAK
|
||||
BggrBgEFBQcDATAdBgNVHQ4EFgQUNLp+qukOiO3z/cfjk4fBalMnOswwDQYJKoZI
|
||||
hvcNAQELBQADggEBAFoDA+AHIdBUtpTa1bVXSy4Y53Kn2OMopA47qxY+sgXS0UGx
|
||||
2fz7dyhy68AG3V5VnVKpnNAjJdeZdQww3N7KNmjsoI+p5mS+AHucLcMLJaqFaA0t
|
||||
+jyLepQFdeh2/VkmbIwFQW+T/oBoCP4i4tkmaa/9mKSkbEOAadcucg7viqmRKN/b
|
||||
DJNMkhiahpCATpxRno8ybUzn907UTKBQOseZMW53ecKkgcPQOF6apsM7+/jXkOrO
|
||||
D9QeVWCdLLAnpLlubqbuGxPjI0RbLHXwKFayRwKEMj3Gn9njqcZfkVM3QJHc8Pn9
|
||||
eADOacl+F1jPO2nTTOQ9tZzfyHW4Gd5tpWqpEb8=
|
||||
MIIBsTCCAWOgAwIBAgIUGpf4cVZ+bxPjhAFAyl8jQ1sNQa8wBQYDK2VwMBIxEDAO
|
||||
BgNVBAMMB2hkX3Jvb3QwHhcNMjYwNDEzMDczODI5WhcNMjcwNDEzMDczODI5WjAO
|
||||
MQwwCgYDVQQDDANsYW4wKjAFBgMrZXADIQAhLd5unI9G7uHqr6BsqDCMJLw/N8JF
|
||||
xYUpaCdkqkKhg6OBzjCByzBcBgNVHREEVTBTggZjMi5sYW6CBmZ3LmxhboIHZ2l0
|
||||
LmxhboIHcWJ0LmxhboIIcm9hbS5sYW6CB3Jzcy5sYW6CCHNvbG8ubGFughJzeW5j
|
||||
dGhpbmcucm9hbS5sYW4wHwYDVR0jBBgwFoAUiBpbOwE2VE7fQGHbWVrN9Yjun3kw
|
||||
CQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYD
|
||||
VR0OBBYEFBlYz2gpphVvl3ofllfEX++VXFOqMAUGAytlcANBAJoI695qXQ2fjG3q
|
||||
2iK8FfjBEdvkrp6VK8xV12WjxZi19X5FhbY9FvRj/ZeM8yhUFKH9uBWjkqd8LuX2
|
||||
iHM7vQ0=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
|
|||
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue