summaryrefslogtreecommitdiffstats
path: root/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix
blob: d3557894dacb34f5d0a28eaab0da00e4f1eb2e59 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
{ pkgs }:
pkgs.writers.writeDashBin "renew-intermediate-ca" ''
  TMPDIR=$(mktemp -d)
  trap "rm -rf $TMPDIR;" INT TERM EXIT
  mkdir -p "$TMPDIR/krebs"
  brain show ca/ca.key > "$TMPDIR/krebs/ca.key"
  brain show ca/ca.crt > "$TMPDIR/krebs/ca.crt"
  brain show krebs-secrets/hotdog/acme_ca.key > "$TMPDIR/acme.key"
  cp ${toString ../../../6assets/krebsAcmeCA.crt} "$TMPDIR/acme.crt"
  export STEPPATH="$TMPDIR/step"
  cat << EOF > "$TMPDIR/intermediate.tpl"
  {
      "subject": {{ toJson .Subject }},
      "keyUsage": ["certSign", "crlSign"],
      "basicConstraints": {
          "isCA": true,
          "maxPathLen": 0
      },
      "nameConstraints": {
          "critical": true,
          "permittedDNSDomains": ["r" ,"w"]
      }
  }
  EOF

  ${pkgs.step-cli}/bin/step ca renew "$TMPDIR/ca.crt" "$TMPDIR/ca.key" \
    --offline \
    --root "$TMPDIR/krebs/ca.crt" \
    --ca-config "$TMPDIR/intermediate.tpl"
''