2e751c0772
the conversion procedure is simple: - find all things that look like options, ie calls to either `mkOption` or `lib.mkOption` that take an attrset. remember the attrset as the option - for all options, find a `description` attribute who's value is not a call to `mdDoc` or `lib.mdDoc` - textually convert the entire value of the attribute to MD with a few simple regexes (the set from mdize-module.sh) - if the change produced a change in the manual output, discard - if the change kept the manual unchanged, add some text to the description to make sure we've actually found an option. if the manual changes this time, keep the converted description this procedure converts 80% of nixos options to markdown. around 2000 options remain to be inspected, but most of those fail the "does not change the manual output check": currently the MD conversion process does not faithfully convert docbook tags like <code> and <package>, so any option using such tags will not be converted at all.
223 lines
6.5 KiB
Nix
223 lines
6.5 KiB
Nix
{ config, options, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.cfssl;
|
|
in {
|
|
options.services.cfssl = {
|
|
enable = mkEnableOption "the CFSSL CA api-server";
|
|
|
|
dataDir = mkOption {
|
|
default = "/var/lib/cfssl";
|
|
type = types.path;
|
|
description = ''
|
|
The work directory for CFSSL.
|
|
|
|
<note><para>
|
|
If left as the default value this directory will automatically be
|
|
created before the CFSSL server starts, otherwise you are
|
|
responsible for ensuring the directory exists with appropriate
|
|
ownership and permissions.
|
|
</para></note>
|
|
'';
|
|
};
|
|
|
|
address = mkOption {
|
|
default = "127.0.0.1";
|
|
type = types.str;
|
|
description = lib.mdDoc "Address to bind.";
|
|
};
|
|
|
|
port = mkOption {
|
|
default = 8888;
|
|
type = types.port;
|
|
description = lib.mdDoc "Port to bind.";
|
|
};
|
|
|
|
ca = mkOption {
|
|
defaultText = literalExpression ''"''${cfg.dataDir}/ca.pem"'';
|
|
type = types.str;
|
|
description = lib.mdDoc "CA used to sign the new certificate -- accepts '[file:]fname' or 'env:varname'.";
|
|
};
|
|
|
|
caKey = mkOption {
|
|
defaultText = literalExpression ''"file:''${cfg.dataDir}/ca-key.pem"'';
|
|
type = types.str;
|
|
description = lib.mdDoc "CA private key -- accepts '[file:]fname' or 'env:varname'.";
|
|
};
|
|
|
|
caBundle = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc "Path to root certificate store.";
|
|
};
|
|
|
|
intBundle = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc "Path to intermediate certificate store.";
|
|
};
|
|
|
|
intDir = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc "Intermediates directory.";
|
|
};
|
|
|
|
metadata = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc ''
|
|
Metadata file for root certificate presence.
|
|
The content of the file is a json dictionary (k,v): each key k is
|
|
a SHA-1 digest of a root certificate while value v is a list of key
|
|
store filenames.
|
|
'';
|
|
};
|
|
|
|
remote = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.str;
|
|
description = lib.mdDoc "Remote CFSSL server.";
|
|
};
|
|
|
|
configFile = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.str;
|
|
description = lib.mdDoc "Path to configuration file. Do not put this in nix-store as it might contain secrets.";
|
|
};
|
|
|
|
responder = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc "Certificate for OCSP responder.";
|
|
};
|
|
|
|
responderKey = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.str;
|
|
description = lib.mdDoc "Private key for OCSP responder certificate. Do not put this in nix-store.";
|
|
};
|
|
|
|
tlsKey = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.str;
|
|
description = lib.mdDoc "Other endpoint's CA private key. Do not put this in nix-store.";
|
|
};
|
|
|
|
tlsCert = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc "Other endpoint's CA to set up TLS protocol.";
|
|
};
|
|
|
|
mutualTlsCa = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc "Mutual TLS - require clients be signed by this CA.";
|
|
};
|
|
|
|
mutualTlsCn = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.str;
|
|
description = lib.mdDoc "Mutual TLS - regex for whitelist of allowed client CNs.";
|
|
};
|
|
|
|
tlsRemoteCa = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc "CAs to trust for remote TLS requests.";
|
|
};
|
|
|
|
mutualTlsClientCert = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc "Mutual TLS - client certificate to call remote instance requiring client certs.";
|
|
};
|
|
|
|
mutualTlsClientKey = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc "Mutual TLS - client key to call remote instance requiring client certs. Do not put this in nix-store.";
|
|
};
|
|
|
|
dbConfig = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.path;
|
|
description = lib.mdDoc "Certificate db configuration file. Path must be writeable.";
|
|
};
|
|
|
|
logLevel = mkOption {
|
|
default = 1;
|
|
type = types.enum [ 0 1 2 3 4 5 ];
|
|
description = lib.mdDoc "Log level (0 = DEBUG, 5 = FATAL).";
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
users.groups.cfssl = {
|
|
gid = config.ids.gids.cfssl;
|
|
};
|
|
|
|
users.users.cfssl = {
|
|
description = "cfssl user";
|
|
home = cfg.dataDir;
|
|
group = "cfssl";
|
|
uid = config.ids.uids.cfssl;
|
|
};
|
|
|
|
systemd.services.cfssl = {
|
|
description = "CFSSL CA API server";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
|
|
serviceConfig = lib.mkMerge [
|
|
{
|
|
WorkingDirectory = cfg.dataDir;
|
|
Restart = "always";
|
|
User = "cfssl";
|
|
Group = "cfssl";
|
|
|
|
ExecStart = with cfg; let
|
|
opt = n: v: optionalString (v != null) ''-${n}="${v}"'';
|
|
in
|
|
lib.concatStringsSep " \\\n" [
|
|
"${pkgs.cfssl}/bin/cfssl serve"
|
|
(opt "address" address)
|
|
(opt "port" (toString port))
|
|
(opt "ca" ca)
|
|
(opt "ca-key" caKey)
|
|
(opt "ca-bundle" caBundle)
|
|
(opt "int-bundle" intBundle)
|
|
(opt "int-dir" intDir)
|
|
(opt "metadata" metadata)
|
|
(opt "remote" remote)
|
|
(opt "config" configFile)
|
|
(opt "responder" responder)
|
|
(opt "responder-key" responderKey)
|
|
(opt "tls-key" tlsKey)
|
|
(opt "tls-cert" tlsCert)
|
|
(opt "mutual-tls-ca" mutualTlsCa)
|
|
(opt "mutual-tls-cn" mutualTlsCn)
|
|
(opt "mutual-tls-client-key" mutualTlsClientKey)
|
|
(opt "mutual-tls-client-cert" mutualTlsClientCert)
|
|
(opt "tls-remote-ca" tlsRemoteCa)
|
|
(opt "db-config" dbConfig)
|
|
(opt "loglevel" (toString logLevel))
|
|
];
|
|
}
|
|
(mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) {
|
|
StateDirectory = baseNameOf cfg.dataDir;
|
|
StateDirectoryMode = 700;
|
|
})
|
|
];
|
|
};
|
|
|
|
services.cfssl = {
|
|
ca = mkDefault "${cfg.dataDir}/ca.pem";
|
|
caKey = mkDefault "${cfg.dataDir}/ca-key.pem";
|
|
};
|
|
};
|
|
}
|