more writeShellApplication
This commit is contained in:
John Lancaster
+44
-45
@@ -96,32 +96,35 @@ let
|
||||
group,
|
||||
}:
|
||||
let
|
||||
catCmd = lib.getExe' pkgs.coreutils "cat";
|
||||
chownCmd = lib.getExe' pkgs.coreutils "chown";
|
||||
chmodCmd = lib.getExe' pkgs.coreutils "chmod";
|
||||
stepCmd = lib.getExe pkgs.step-cli;
|
||||
sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
|
||||
in
|
||||
pkgs.writeShellScriptBin "mtls-generate" ''
|
||||
set -euo pipefail
|
||||
${stepCmd} ca certificate \
|
||||
${subject} ${certFile} ${keyFile} \
|
||||
--not-before=-5m --not-after=${lifetime} \
|
||||
--provisioner ${provisioner} \
|
||||
${sanArgs} \
|
||||
"$@"
|
||||
(umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
|
||||
${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
|
||||
${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
|
||||
printf '\033[32m✔\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
|
||||
'';
|
||||
pkgs.writeShellApplication {
|
||||
name = "mtls-generate";
|
||||
runtimeInputs = with pkgs; [ coreutils step-cli ];
|
||||
text = ''
|
||||
set -euo pipefail
|
||||
step ca certificate ${subject} ${certFile} ${keyFile} \
|
||||
--provisioner ${provisioner} \
|
||||
--not-before=-5m --not-after=${lifetime} \
|
||||
${sanArgs} \
|
||||
"$@"
|
||||
(umask 077; cat ${certFile} ${keyFile} > ${bundleFile})
|
||||
chown ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
|
||||
chmod 640 ${certFile} ${keyFile} ${bundleFile}
|
||||
printf '\033[32m✔\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
|
||||
'';
|
||||
};
|
||||
|
||||
mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
|
||||
${lib.getExe pkgs.openssl} x509 \
|
||||
-noout -subject -issuer \
|
||||
-ext subjectAltName,extendedKeyUsage \
|
||||
-enddate -in ${bundleFile}
|
||||
'';
|
||||
mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellApplication {
|
||||
name = "mtls-check";
|
||||
runtimeInputs = with pkgs; [ openssl ];
|
||||
text = ''
|
||||
openssl x509 -noout -in ${bundleFile} \
|
||||
-subject -issuer \
|
||||
-ext subjectAltName,extendedKeyUsage \
|
||||
-enddate
|
||||
'';
|
||||
};
|
||||
|
||||
mkMtlsRenewScript = {
|
||||
pkgs,
|
||||
@@ -129,12 +132,7 @@ let
|
||||
systemctlArgs ? [ ],
|
||||
}:
|
||||
let
|
||||
catCmd = lib.getExe' pkgs.coreutils "cat";
|
||||
echoCmd = lib.getExe' pkgs.coreutils "echo";
|
||||
chownCmd = lib.getExe' pkgs.coreutils "chown";
|
||||
chmodCmd = lib.getExe' pkgs.coreutils "chmod";
|
||||
stepCmd = lib.getExe pkgs.step-cli;
|
||||
systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
|
||||
systemctlCmd = "systemctl ${lib.escapeShellArgs systemctlArgs}";
|
||||
|
||||
hasReloadUnits = cfg.renew.reloadUnits != [ ];
|
||||
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
|
||||
@@ -148,7 +146,10 @@ let
|
||||
|
||||
fileOwner = "${cfg.renew.user}:${cfg.renew.group}";
|
||||
in
|
||||
pkgs.writeShellScriptBin "mtls-renew" ''
|
||||
pkgs.writeShellApplication {
|
||||
name = "mtls-renew";
|
||||
runtimeInputs = with pkgs; [ coreutils step-cli systemd ];
|
||||
text = ''
|
||||
set -euo pipefail
|
||||
|
||||
YELLOW_BANG="\e[33m!\e[0m"
|
||||
@@ -161,33 +162,31 @@ let
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
${echoCmd} -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
|
||||
echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${cfg.certFile}"; then
|
||||
${echoCmd} "Skipping renew"
|
||||
if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${cfg.certFile}"; then
|
||||
echo "Skipping renew"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
${echoCmd} "Renewing mTLS certificate"
|
||||
${stepCmd} ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
|
||||
(umask 077; ${catCmd} "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
|
||||
${chownCmd} ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
|
||||
${chmodCmd} 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
|
||||
echo "Renewing mTLS certificate"
|
||||
step ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
|
||||
(umask 077; cat "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
|
||||
chown ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
|
||||
chmod 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
|
||||
|
||||
${lib.optionalString hasReloadUnits ''
|
||||
${echoCmd} "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
|
||||
${renewReloadScript}
|
||||
echo "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
|
||||
${renewReloadScript}
|
||||
''}
|
||||
|
||||
${lib.optionalString hasPostCommands ''
|
||||
${echoCmd} "Post commands:"
|
||||
${renewPostCommands}
|
||||
''}
|
||||
'';
|
||||
${lib.optionalString hasPostCommands ''echo "Post commands:" ${renewPostCommands}''}
|
||||
'';
|
||||
};
|
||||
|
||||
mkNixosMtlsRenewService = { pkgs, cfg, ... }:
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user