112 lines
3.3 KiB
Nix
112 lines
3.3 KiB
Nix
/*
|
|
Set up a CA chain for the clan. There will be one root CA for each instance
|
|
of the ssl service, then each host has its own host CA that is signed by the
|
|
instance-wide root CA.
|
|
|
|
Trusting the root CA, will result in also trusting the individual host CAs,
|
|
as they are signed by it.
|
|
|
|
Hosts can then use their respective host CAs to expose SSL secured services.
|
|
*/
|
|
{
|
|
exports,
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
{
|
|
_class = "clan.service";
|
|
manifest.name = "clan-core/ssl";
|
|
manifest.description = "Set up a CA infrastucture for your clan";
|
|
manifest.readme = builtins.readFile ./README.md;
|
|
|
|
# Generate a root CA for each instances of the ssl module.
|
|
exports = lib.mapAttrs' (instanceName: _: {
|
|
"ssl/${instanceName}///".vars.generators.ssl-root-ca =
|
|
{ config, ... }:
|
|
{
|
|
|
|
files.key = { };
|
|
files.cert.secret = false;
|
|
|
|
runtimeInputs = [
|
|
config.pkgs.pkgs.openssl
|
|
];
|
|
|
|
script = ''
|
|
# Generate CA private key (4096-bit RSA)
|
|
openssl genrsa -out "$out/key" 4096
|
|
|
|
# Generate self-signed CA certificate (valid for 10 years)
|
|
openssl req -new -x509 \
|
|
-key "$out/key" \
|
|
-out "$out/cert" \
|
|
-days 3650 \
|
|
-subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=Root CA" \
|
|
-sha256
|
|
'';
|
|
};
|
|
}) config.instances;
|
|
|
|
roles.default = {
|
|
description = "Generate a host CA, signed by the root CA and trust the root CA";
|
|
perInstance =
|
|
{
|
|
instanceName,
|
|
machine,
|
|
...
|
|
}:
|
|
{
|
|
# Generate a host CA, which depends on (is signed by) the root CA
|
|
exports = {
|
|
"ssl/${instanceName}/default/${machine.name}/".vars.generators.ssl-host-ca =
|
|
{ config, ... }:
|
|
{
|
|
|
|
dependencies = {
|
|
ssl-root-ca = exports."ssl/${instanceName}///".vars.generators.ssl-root-ca;
|
|
};
|
|
|
|
files.key = { };
|
|
files.cert.secret = false;
|
|
|
|
runtimeInputs = [
|
|
config.pkgs.pkgs.openssl
|
|
];
|
|
|
|
script = ''
|
|
# Generate intermediate CA private key (4096-bit RSA)
|
|
openssl genrsa -out "$out/key" 4096
|
|
|
|
# Generate Certificate Signing Request (CSR) for intermediate CA
|
|
openssl req -new \
|
|
-key "$out/key" \
|
|
-out "$out/csr" \
|
|
-subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=Host CA"
|
|
|
|
# Sign the CSR with the root CA to create the intermediate certificate
|
|
openssl x509 -req \
|
|
-in "$out/csr" \
|
|
-CA "$dependencies/ssl-root-ca/cert" \
|
|
-CAkey "$dependencies/ssl-root-ca/key" \
|
|
-CAcreateserial \
|
|
-out "$out/cert" \
|
|
-days 3650 \
|
|
-sha256 \
|
|
-extfile <(printf "basicConstraints=CA:TRUE\nkeyUsage=keyCertSign,cRLSign")
|
|
'';
|
|
};
|
|
};
|
|
|
|
nixosModule =
|
|
{ ... }:
|
|
{
|
|
# We trust the (public) root CA certificate on all machines with this role
|
|
security.pki.certificateFiles = [
|
|
exports."ssl/${instanceName}///".vars.generators.ssl-root-ca.files.cert.path
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|