-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- add tls module for certificate generation, which can be enabled where needed - add TLS certificate generation script, allowing multiple IP entries - add key copy service to allow user access in /run/givc, by default keys and certificates are stored in /etc/givc with root access only - remove TLS data name dependencies Signed-off-by: Manuel Bluhm <[email protected]>
- Loading branch information
Showing
14 changed files
with
265 additions
and
98 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
# Copyright 2024 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
{ self }: | ||
{ | ||
config, | ||
pkgs, | ||
lib, | ||
... | ||
}: | ||
let | ||
cfg = config.givc.tls; | ||
inherit (lib) | ||
mkOption | ||
mkEnableOption | ||
mkIf | ||
types | ||
; | ||
inherit (import ./definitions.nix { inherit config lib; }) | ||
transportSubmodule | ||
; | ||
in | ||
{ | ||
options.givc.tls = { | ||
enable = mkEnableOption "Enable givc-tls module. This module generates keys and certificates for givc's mTLS in /etc/givc."; | ||
|
||
agents = mkOption { | ||
description = "List of agents to generate TLS certificates for. Requires a list of 'transportSubmodule'."; | ||
type = types.listOf transportSubmodule; | ||
}; | ||
|
||
adminTlsName = mkOption { | ||
description = "TLS host name of admin server."; | ||
type = types.str; | ||
}; | ||
|
||
adminAddresses = mkOption { | ||
description = "List of addresses for the admin service to listen on. Requires a list of 'transportSubmodule'."; | ||
type = types.listOf transportSubmodule; | ||
}; | ||
|
||
generatorHostName = mkOption { | ||
description = "Host name of the certificate generator. This will prevent to write the TLS data into the storage path."; | ||
type = types.str; | ||
}; | ||
|
||
storagePath = mkOption { | ||
description = "Storage path for generated keys and certificates. Will use subdirectories for each agent by name."; | ||
type = types.str; | ||
}; | ||
|
||
}; | ||
|
||
config = mkIf cfg.enable { | ||
assertions = [ | ||
{ | ||
assertion = cfg.agents != [ ]; | ||
message = "The TLS module requires a list of agents to generate keys and certificates for."; | ||
} | ||
{ | ||
assertion = cfg.adminTlsName != ""; | ||
message = "The TLS module requires a TLS host name for the admin server."; | ||
} | ||
{ | ||
assertion = cfg.adminAddresses != [ ]; | ||
message = "The TLS module requires a list of addresses for the admin service to listen on."; | ||
} | ||
{ | ||
assertion = cfg.generatorHostName != ""; | ||
message = "The TLS module requires a host name for the certificate generator."; | ||
} | ||
{ | ||
assertion = cfg.storagePath != ""; | ||
message = "The TLS module requires a storage path for generated keys and certificates."; | ||
} | ||
]; | ||
|
||
systemd.services = { | ||
givc-key-setup = | ||
let | ||
givcCertGenerator = pkgs.callPackage ../packages/givc-gen-certs.nix { | ||
inherit lib pkgs; | ||
inherit (cfg) | ||
agents | ||
adminTlsName | ||
adminAddresses | ||
generatorHostName | ||
; | ||
}; | ||
in | ||
{ | ||
enable = true; | ||
description = "Generate keys and certificates for givc"; | ||
path = [ givcCertGenerator ]; | ||
wantedBy = [ "local-fs.target" ]; | ||
after = [ "local-fs.target" ]; | ||
unitConfig.ConditionPathExists = "!/etc/givc/tls.lock"; | ||
serviceConfig = { | ||
Type = "notify"; | ||
NotifyAccess = "all"; | ||
Restart = "no"; | ||
StandardOutput = "journal"; | ||
StandardError = "journal"; | ||
ExecStart = "${givcCertGenerator}/bin/givc-gen-certs ${cfg.storagePath}"; | ||
ExecStartPost = "${pkgs.coreutils}/bin/install -m 000 /dev/null /etc/givc/tls.lock"; | ||
}; | ||
}; | ||
}; | ||
}; | ||
} |
Oops, something went wrong.