about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranz Pletz <fpletz@fnordicwalking.de>2019-01-30 17:37:42 +0000
committerGitHub <noreply@github.com>2019-01-30 17:37:42 +0000
commit72f324dbc76f57728c5ae20a82bda1fc195c28c5 (patch)
treec97e11323cd96e31ec312abedbf5b2446f86aa7e
parent5b622c115d132772dc9739d35561e184d3375a5d (diff)
parent4602b43a33a98d31f29a2928da58559444ebfdb6 (diff)
downloadnixlib-72f324dbc76f57728c5ae20a82bda1fc195c28c5.tar
nixlib-72f324dbc76f57728c5ae20a82bda1fc195c28c5.tar.gz
nixlib-72f324dbc76f57728c5ae20a82bda1fc195c28c5.tar.bz2
nixlib-72f324dbc76f57728c5ae20a82bda1fc195c28c5.tar.lz
nixlib-72f324dbc76f57728c5ae20a82bda1fc195c28c5.tar.xz
nixlib-72f324dbc76f57728c5ae20a82bda1fc195c28c5.tar.zst
nixlib-72f324dbc76f57728c5ae20a82bda1fc195c28c5.zip
Merge pull request #45567 from johanot/certmgr-rootca-patch
certmgr: Add patch for optional trust of self-signed certificates at remote cfssl apiserver
Diffstat
-rw-r--r--nixos/modules/services/security/certmgr.nix11
-rw-r--r--pkgs/tools/security/certmgr/default.nix54
-rw-r--r--pkgs/top-level/all-packages.nix3
3 files changed, 48 insertions, 20 deletions
diff --git a/nixos/modules/services/security/certmgr.nix b/nixos/modules/services/security/certmgr.nix
index 22d5817ec4f0..e89078883ebe 100644
--- a/nixos/modules/services/security/certmgr.nix
+++ b/nixos/modules/services/security/certmgr.nix
@@ -30,13 +30,20 @@ let
 
   preStart = ''
     ${concatStringsSep " \\\n" (["mkdir -p"] ++ map escapeShellArg specPaths)}
-    ${pkgs.certmgr}/bin/certmgr -f ${certmgrYaml} check
+    ${cfg.package}/bin/certmgr -f ${certmgrYaml} check
   '';
 in
 {
   options.services.certmgr = {
     enable = mkEnableOption "certmgr";
 
+    package = mkOption {
+      type = types.package;
+      default = pkgs.certmgr;
+      defaultText = "pkgs.certmgr";
+      description = "Which certmgr package to use in the service.";
+    };
+
     defaultRemote = mkOption {
       type = types.str;
       default = "127.0.0.1:8888";
@@ -187,7 +194,7 @@ in
       serviceConfig = {
         Restart = "always";
         RestartSec = "10s";
-        ExecStart = "${pkgs.certmgr}/bin/certmgr -f ${certmgrYaml}";
+        ExecStart = "${cfg.package}/bin/certmgr -f ${certmgrYaml}";
       };
     };
   };
diff --git a/pkgs/tools/security/certmgr/default.nix b/pkgs/tools/security/certmgr/default.nix
index fa3076e8b593..4a9cd4867da6 100644
--- a/pkgs/tools/security/certmgr/default.nix
+++ b/pkgs/tools/security/certmgr/default.nix
@@ -1,23 +1,43 @@
-{ stdenv, buildGoPackage, fetchFromGitHub }:
+{ stdenv, buildGoPackage, fetchFromGitHub, fetchpatch }:
 
-buildGoPackage rec {
-  version = "1.6.1";
-  name = "certmgr-${version}";
+let
+  generic = { patches ? [] }:
+    buildGoPackage rec {
+      version = "1.6.1";
+      name = "certmgr-${version}";
 
-  goPackagePath = "github.com/cloudflare/certmgr/";
+      goPackagePath = "github.com/cloudflare/certmgr/";
 
-  src = fetchFromGitHub {
-    owner = "cloudflare";
-    repo = "certmgr";
-    rev = "v${version}";
-    sha256 = "1ky2pw1wxrb2fxfygg50h0mid5l023x6xz9zj5754a023d01qqr2";
-  };
+      src = fetchFromGitHub {
+        owner = "cloudflare";
+        repo = "certmgr";
+        rev = "v${version}";
+        sha256 = "1ky2pw1wxrb2fxfygg50h0mid5l023x6xz9zj5754a023d01qqr2";
+      };
+
+      inherit patches;
+
+      meta = with stdenv.lib; {
+        homepage = https://cfssl.org/;
+        description = "Cloudflare's certificate manager";
+        platforms = platforms.linux;
+        license = licenses.bsd2;
+        maintainers = with maintainers; [ johanot srhb ];
+      };
+    };
+in
+{
+  certmgr = generic {};
 
-  meta = with stdenv.lib; {
-    homepage = https://cfssl.org/;
-    description = "Cloudflare's certificate manager";
-    platforms = platforms.linux;
-    license = licenses.bsd2;
-    maintainers = with maintainers; [ johanot srhb ];
+  certmgr-selfsigned = generic {
+    # The following patch makes it possible to use a self-signed x509 cert
+    # for the cfssl apiserver.
+    # TODO: remove patch when PR is merged.
+    patches = [
+      (fetchpatch {
+        url    = "https://github.com/cloudflare/certmgr/pull/51.patch";
+        sha256 = "0jhsw159d2mgybvbbn6pmvj4yqr5cwcal5fjwkcn9m4f4zlb6qrs";
+      })
+    ];
   };
 }
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 4d6ac1fe71be..9603ffa704b1 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -1821,7 +1821,8 @@ in
   };
   ceph-dev = ceph;
 
-  certmgr = callPackage ../tools/security/certmgr { };
+  inherit (callPackages ../tools/security/certmgr { })
+    certmgr certmgr-selfsigned;
 
   cfdg = callPackage ../tools/graphics/cfdg { };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-21 00:18:05 +0000