john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more writeShellApplication

Browse Source
This commit is contained in:
John Lancaster
2026-04-12 23:20:20 -05:00
parent 35e1d5ee61
commit 7080410c0c
2 changed files with 45 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/features/mtls.nix
+34 -35
View File
@@ -96,32 +96,35 @@ let
group, group,
}: }:
let let
catCmd = lib.getExe' pkgs.coreutils "cat";
chownCmd = lib.getExe' pkgs.coreutils "chown";
chmodCmd = lib.getExe' pkgs.coreutils "chmod";
stepCmd = lib.getExe pkgs.step-cli;
sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san; sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
in in
pkgs.writeShellScriptBin "mtls-generate" '' pkgs.writeShellApplication {
name = "mtls-generate";
runtimeInputs = with pkgs; [ coreutils step-cli ];
text = ''
set -euo pipefail set -euo pipefail
${stepCmd} ca certificate \ step ca certificate ${subject} ${certFile} ${keyFile} \
${subject} ${certFile} ${keyFile} \
--not-before=-5m --not-after=${lifetime} \
--provisioner ${provisioner} \ --provisioner ${provisioner} \
--not-before=-5m --not-after=${lifetime} \
${sanArgs} \ ${sanArgs} \
"$@" "$@"
(umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile}) (umask 077; cat ${certFile} ${keyFile} > ${bundleFile})
${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile} chown ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile} chmod 640 ${certFile} ${keyFile} ${bundleFile}
printf '\033[32m\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile} printf '\033[32m\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
''; '';
};
mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" '' mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellApplication {
${lib.getExe pkgs.openssl} x509 \ name = "mtls-check";
-noout -subject -issuer \ runtimeInputs = with pkgs; [ openssl ];
text = ''
openssl x509 -noout -in ${bundleFile} \
-subject -issuer \
-ext subjectAltName,extendedKeyUsage \ -ext subjectAltName,extendedKeyUsage \
-enddate -in ${bundleFile} -enddate
''; '';
};
mkMtlsRenewScript = { mkMtlsRenewScript = {
pkgs, pkgs,
@@ -129,12 +132,7 @@ let
systemctlArgs ? [ ], systemctlArgs ? [ ],
}: }:
let let
catCmd = lib.getExe' pkgs.coreutils "cat"; systemctlCmd = "systemctl ${lib.escapeShellArgs systemctlArgs}";
echoCmd = lib.getExe' pkgs.coreutils "echo";
chownCmd = lib.getExe' pkgs.coreutils "chown";
chmodCmd = lib.getExe' pkgs.coreutils "chmod";
stepCmd = lib.getExe pkgs.step-cli;
systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
hasReloadUnits = cfg.renew.reloadUnits != [ ]; hasReloadUnits = cfg.renew.reloadUnits != [ ];
renewReloadScript = lib.concatMapStringsSep "\n" (unit: '' renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
@@ -148,7 +146,10 @@ let
fileOwner = "${cfg.renew.user}:${cfg.renew.group}"; fileOwner = "${cfg.renew.user}:${cfg.renew.group}";
in in
pkgs.writeShellScriptBin "mtls-renew" '' pkgs.writeShellApplication {
name = "mtls-renew";
runtimeInputs = with pkgs; [ coreutils step-cli systemd ];
text = ''
set -euo pipefail set -euo pipefail
YELLOW_BANG="\e[33m!\e[0m" YELLOW_BANG="\e[33m!\e[0m"
@@ -161,33 +162,31 @@ let
shift shift
;; ;;
*) *)
${echoCmd} -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'" echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
exit 1 exit 1
;; ;;
esac esac
done done
if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${cfg.certFile}"; then if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${cfg.certFile}"; then
${echoCmd} "Skipping renew" echo "Skipping renew"
exit 0 exit 0
fi fi
${echoCmd} "Renewing mTLS certificate" echo "Renewing mTLS certificate"
${stepCmd} ca renew --force "${cfg.certFile}" "${cfg.keyFile}" step ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
(umask 077; ${catCmd} "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}") (umask 077; cat "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
${chownCmd} ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile} chown ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
${chmodCmd} 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile} chmod 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
${lib.optionalString hasReloadUnits '' ${lib.optionalString hasReloadUnits ''
${echoCmd} "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}" echo "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
${renewReloadScript} ${renewReloadScript}
''} ''}
${lib.optionalString hasPostCommands '' ${lib.optionalString hasPostCommands ''echo "Post commands:" ${renewPostCommands}''}
${echoCmd} "Post commands:"
${renewPostCommands}
''}
''; '';
};
mkNixosMtlsRenewService = { pkgs, cfg, ... }: mkNixosMtlsRenewService = { pkgs, cfg, ... }:
{ {
modules/features/shell-tools.nix
+1 -3
View File
@@ -34,9 +34,7 @@
xclip xclip
jq jq
ripgrep ripgrep
(writeShellScriptBin "ds" '' (writeShellScriptBin "ds" ''${lib.getExe pkgs.gdu} -x -I /snap /'')
${lib.getExe pkgs.gdu} -x -I /snap /
'')
]; ];
}; };
}; };