# Generates a self-signed CA and a server TLS cert covering all `.lan` domains
# defined in var/default.nix.
{
  pkgs,
  agenix-pkg,
  san,
}:
pkgs.writeShellApplication {
  name = "gen-tls-cert";
  runtimeInputs = [
    pkgs.openssl
    agenix-pkg
  ];
  text = ''
    # ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
    tmp=$(mktemp -d)
    trap 'rm -rf -- "$tmp"' EXIT

    openssl req -x509 -nodes \
        -newkey ed25519 \
        -keyout "$tmp/ca.key" \
        -days 365 \
        -out "$tmp/ca.cert" \
        -subj '/CN=hd_root'

    rm secrets/tlskey.age
    openssl req -nodes \
        -newkey ed25519 \
        -keyout - \
        -out "$tmp/server.csr" \
        -subj '/CN=lan' \
        | agenix -e secrets/tlskey.age

    # SAN list is derived from var/default.nix (lan-dns.hosts).
    san="${san}"
    echo "SAN: $san"

    cat > "$tmp/extfile" << EOF
    subjectAltName=$san
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage=digitalSignature,keyEncipherment
    extendedKeyUsage=serverAuth
    EOF

    openssl x509 -req \
        -CA "$tmp/ca.cert" \
        -CAkey "$tmp/ca.key" \
        -in "$tmp/server.csr" \
        -out pki/server.cert \
        -days 365 \
        -CAcreateserial \
        -extfile "$tmp/extfile"

    mv "$tmp/ca.cert" pki/ca.cert
  '';
}