init renew-krebs-intermediate-ca

author: lassulus <git@lassul.us> 2023-09-04 13:45:19 +0200
committer: lassulus <git@lassul.us> 2023-09-04 13:45:19 +0200
commit: da71141921958d50e6845ccbdad08a117c7d9be4 (patch)
tree: 914b682abcf5826f01b7c77a0344444def6ebc39
parent: de37ad95995c89054fb3a864ce4e56f2b2aa12df (diff)
1 files changed, 30 insertions, 0 deletions
diff --git a/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix
new file mode 100644
index 000000000..d3557894d
--- /dev/null
+++ b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix
@@ -0,0 +1,30 @@
+{ pkgs }:
+pkgs.writers.writeDashBin "renew-intermediate-ca" ''
+  TMPDIR=$(mktemp -d)
+  trap "rm -rf $TMPDIR;" INT TERM EXIT
+  mkdir -p "$TMPDIR/krebs"
+  brain show ca/ca.key > "$TMPDIR/krebs/ca.key"
+  brain show ca/ca.crt > "$TMPDIR/krebs/ca.crt"
+  brain show krebs-secrets/hotdog/acme_ca.key > "$TMPDIR/acme.key"
+  cp ${toString ../../../6assets/krebsAcmeCA.crt} "$TMPDIR/acme.crt"
+  export STEPPATH="$TMPDIR/step"
+  cat << EOF > "$TMPDIR/intermediate.tpl"
+  {
+      "subject": {{ toJson .Subject }},
+      "keyUsage": ["certSign", "crlSign"],
+      "basicConstraints": {
+          "isCA": true,
+          "maxPathLen": 0
+      },
+      "nameConstraints": {
+          "critical": true,
+          "permittedDNSDomains": ["r" ,"w"]
+      }
+  }
+  EOF
+
+  ${pkgs.step-cli}/bin/step ca renew "$TMPDIR/ca.crt" "$TMPDIR/ca.key" \
+    --offline \
+    --root "$TMPDIR/krebs/ca.crt" \
+    --ca-config "$TMPDIR/intermediate.tpl"
+''
author	lassulus <git@lassul.us>	2023-09-04 13:45:19 +0200
committer	lassulus <git@lassul.us>	2023-09-04 13:45:19 +0200
commit	da71141921958d50e6845ccbdad08a117c7d9be4 (patch)
tree	914b682abcf5826f01b7c77a0344444def6ebc39
parent	de37ad95995c89054fb3a864ce4e56f2b2aa12df (diff)