49 lines
1.3 KiB
Nix
49 lines
1.3 KiB
Nix
|
{ config, lib, pkgs, ... }: let
|
||
|
cfg = config.retiolum.ca;
|
||
|
in {
|
||
|
options.retiolum.ca = {
|
||
|
rootCA = lib.mkOption {
|
||
|
type = lib.types.str;
|
||
|
readOnly = true;
|
||
|
default = builtins.readFile ./root-ca.crt;
|
||
|
};
|
||
|
intermediateCA = lib.mkOption {
|
||
|
type = lib.types.str;
|
||
|
readOnly = true;
|
||
|
default = builtins.readFile ./intermediate-ca.crt;
|
||
|
};
|
||
|
acmeURL = lib.mkOption {
|
||
|
type = lib.types.str;
|
||
|
readOnly = true;
|
||
|
default = "https://ca.r/acme/acme/directory";
|
||
|
description = ''
|
||
|
security.acme.certs.$name.server = config.retiolum.ca.acmeURL;
|
||
|
'';
|
||
|
};
|
||
|
trustRoot = lib.mkOption {
|
||
|
type = lib.types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
whether to trust the krebs root CA.
|
||
|
This implies that krebs can forge a certficate for every domain
|
||
|
'';
|
||
|
};
|
||
|
trustIntermediate = lib.mkOption {
|
||
|
type = lib.types.bool;
|
||
|
default = true;
|
||
|
description = ''
|
||
|
whether to trust the krebs ACME CA.
|
||
|
this only trusts the intermediate cert for .w and .r domains
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
config = lib.mkMerge [
|
||
|
(lib.mkIf cfg.trustRoot {
|
||
|
security.pki.certificates = [ cfg.rootCA ];
|
||
|
})
|
||
|
(lib.mkIf cfg.trustIntermediate {
|
||
|
security.pki.certificates = [ cfg.intermediateCA ];
|
||
|
})
|
||
|
];
|
||
|
}
|