57 lines
1.3 KiB
Nix
57 lines
1.3 KiB
Nix
# Generates a self-signed CA and a server TLS cert covering all `.lan` domains
|
|
# defined in var/default.nix.
|
|
{
|
|
pkgs,
|
|
agenix-pkg,
|
|
san,
|
|
}:
|
|
pkgs.writeShellApplication {
|
|
name = "gen-tls-cert";
|
|
runtimeInputs = [
|
|
pkgs.openssl
|
|
agenix-pkg
|
|
];
|
|
text = ''
|
|
# ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
|
|
tmp=$(mktemp -d)
|
|
trap 'rm -rf -- "$tmp"' EXIT
|
|
|
|
openssl req -x509 -nodes \
|
|
-newkey ed25519 \
|
|
-keyout "$tmp/ca.key" \
|
|
-days 365 \
|
|
-out "$tmp/ca.cert" \
|
|
-subj '/CN=hd_root'
|
|
|
|
rm secrets/tlskey.age
|
|
openssl req -nodes \
|
|
-newkey ed25519 \
|
|
-keyout - \
|
|
-out "$tmp/server.csr" \
|
|
-subj '/CN=lan' \
|
|
| agenix -e secrets/tlskey.age
|
|
|
|
# SAN list is derived from var/default.nix (lan-dns.hosts).
|
|
san="${san}"
|
|
echo "SAN: $san"
|
|
|
|
cat > "$tmp/extfile" << EOF
|
|
subjectAltName=$san
|
|
authorityKeyIdentifier=keyid,issuer
|
|
basicConstraints=CA:FALSE
|
|
keyUsage=digitalSignature,keyEncipherment
|
|
extendedKeyUsage=serverAuth
|
|
EOF
|
|
|
|
openssl x509 -req \
|
|
-CA "$tmp/ca.cert" \
|
|
-CAkey "$tmp/ca.key" \
|
|
-in "$tmp/server.csr" \
|
|
-out pki/server.cert \
|
|
-days 365 \
|
|
-CAcreateserial \
|
|
-extfile "$tmp/extfile"
|
|
|
|
mv "$tmp/ca.cert" pki/ca.cert
|
|
'';
|
|
}
|