Raito Bezarius
10ffc0684c
This initialize a PKI setup that will now require a root initialization token for the Vault. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
73 lines
2.4 KiB
Nix
73 lines
2.4 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
inherit (lib) tf mkOption mkEnableOption types mkIf;
|
|
parentConf = config.infra.pki;
|
|
cfg = config.infra.pki.ica1;
|
|
hour_in_secs = 1 * 60 * 60;
|
|
year_in_secs = 365 * 24 * hour_in_secs;
|
|
in
|
|
{
|
|
options.infra.pki.ica1 = {
|
|
enable = mkEnableOption "provision an ICA1";
|
|
|
|
resourceId = mkOption {
|
|
type = types.str;
|
|
default = "${parentConf.org.id}_v${toString cfg.version}_ica1_v${toString cfg.certVersion}";
|
|
readOnly = true;
|
|
};
|
|
|
|
version = mkOption {
|
|
type = types.int;
|
|
default = 1;
|
|
description = "Version number for the ICA1 chain";
|
|
};
|
|
|
|
certVersion = mkOption {
|
|
type = types.int;
|
|
default = 1;
|
|
description = "Version number for the ICA1 chain's certificate";
|
|
};
|
|
|
|
signedCert = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = null;
|
|
description = ''
|
|
Path towards the signed certificate by the offline authority.
|
|
|
|
This is not a secret and can be safely stored in the Nix store, you still need
|
|
the private key to do anything with this certificate.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
resource.vault_mount."${cfg.resourceId}" = {
|
|
inherit (parentConf) provider;
|
|
path = "${parentConf.org.id}/v${toString cfg.version}/ica1/v${toString cfg.certVersion}";
|
|
type = "pki";
|
|
description = "PKI engine hosting v${toString cfg.version} intermediate CA1 v${toString cfg.certVersion} for ${parentConf.org.displayName}";
|
|
# 1 hr in seconds.
|
|
default_lease_ttl_seconds = 1 * hour_in_secs;
|
|
max_lease_ttl_seconds = 3 * year_in_secs;
|
|
};
|
|
|
|
resource.vault_pki_secret_backend_intermediate_cert_request."${cfg.resourceId}" = {
|
|
inherit (parentConf) provider;
|
|
depends_on = [ "vault_mount.${cfg.resourceId}" ];
|
|
backend = tf.ref "vault_mount.${cfg.resourceId}.path";
|
|
type = "internal";
|
|
common_name = "Intermediate CA1 v${toString cfg.certVersion} ";
|
|
key_type = "ed25519";
|
|
inherit (parentConf.org) ou organization country locality province;
|
|
};
|
|
|
|
# This is possible once only the signed cert has been signed offline.
|
|
resource.vault_pki_secret_backend_intermediate_set_signed."${cfg.resourceId}_signed_cert" = mkIf (cfg.signedCert != null) {
|
|
inherit (parentConf) provider;
|
|
depends_on = [ "vault_mount.${cfg.resourceId}" ];
|
|
backend = tf.ref "vault_mount.${cfg.resourceId}.path";
|
|
|
|
certificate = builtins.readFile cfg.signedCert;
|
|
};
|
|
};
|
|
}
|