Merge remote-tracking branch 'orange/master'

1 files changed, 30 insertions, 0 deletions

diff --git a/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix
new file mode 100644
index 00000000..d3557894
--- /dev/null
+++ b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix
@@ -0,0 +1,30 @@
+{ pkgs }:
+pkgs.writers.writeDashBin "renew-intermediate-ca" ''
+  TMPDIR=$(mktemp -d)
+  trap "rm -rf $TMPDIR;" INT TERM EXIT
+  mkdir -p "$TMPDIR/krebs"
+  brain show ca/ca.key > "$TMPDIR/krebs/ca.key"
+  brain show ca/ca.crt > "$TMPDIR/krebs/ca.crt"
+  brain show krebs-secrets/hotdog/acme_ca.key > "$TMPDIR/acme.key"
+  cp ${toString ../../../6assets/krebsAcmeCA.crt} "$TMPDIR/acme.crt"
+  export STEPPATH="$TMPDIR/step"
+  cat << EOF > "$TMPDIR/intermediate.tpl"
+  {
+      "subject": {{ toJson .Subject }},
+      "keyUsage": ["certSign", "crlSign"],
+      "basicConstraints": {
+          "isCA": true,
+          "maxPathLen": 0
+      },
+      "nameConstraints": {
+          "critical": true,
+          "permittedDNSDomains": ["r" ,"w"]
+      }
+  }
+  EOF
+
+  ${pkgs.step-cli}/bin/step ca renew "$TMPDIR/ca.crt" "$TMPDIR/ca.key" \
+    --offline \
+    --root "$TMPDIR/krebs/ca.crt" \
+    --ca-config "$TMPDIR/intermediate.tpl"
+''