Merge pull request #45567 from johanot/certmgr-rootca-patch

certmgr: Add patch for optional trust of self-signed certificates at remote cfssl apiserver
2019-01-30 17:37:42 +00:00 · 2019-01-30 17:37:42 +00:00 · 72f324dbc7
commit 72f324dbc7
parent 5b622c115d 4602b43a33
3 changed files with 48 additions and 20 deletions
--- a/nixos/modules/services/security/certmgr.nix
+++ b/nixos/modules/services/security/certmgr.nix
@ -30,13 +30,20 @@ let
  preStart = ''
    ${concatStringsSep " \\\n" (["mkdir -p"] ++ map escapeShellArg specPaths)}
-    ${pkgs.certmgr}/bin/certmgr -f ${certmgrYaml} check
+    ${cfg.package}/bin/certmgr -f ${certmgrYaml} check
  '';
 in
 {
  options.services.certmgr = {
    enable = mkEnableOption "certmgr";
    package = mkOption {
      type = types.package;
      default = pkgs.certmgr;
      defaultText = "pkgs.certmgr";
      description = "Which certmgr package to use in the service.";
    };
    defaultRemote = mkOption {
      type = types.str;
      default = "127.0.0.1:8888";
@ -187,7 +194,7 @@ in
      serviceConfig = {
        Restart = "always";
        RestartSec = "10s";
-        ExecStart = "${pkgs.certmgr}/bin/certmgr -f ${certmgrYaml}";
+        ExecStart = "${cfg.package}/bin/certmgr -f ${certmgrYaml}";
      };
    };
  };
--- a/pkgs/tools/security/certmgr/default.nix
+++ b/pkgs/tools/security/certmgr/default.nix
@ -1,6 +1,8 @@
-{ stdenv, buildGoPackage, fetchFromGitHub }:
+{ stdenv, buildGoPackage, fetchFromGitHub, fetchpatch }:
-buildGoPackage rec {
+let
  generic = { patches ? [] }:
    buildGoPackage rec {
      version = "1.6.1";
      name = "certmgr-${version}";
@ -13,6 +15,8 @@ buildGoPackage rec {
        sha256 = "1ky2pw1wxrb2fxfygg50h0mid5l023x6xz9zj5754a023d01qqr2";
      };
      inherit patches;
      meta = with stdenv.lib; {
        homepage = https://cfssl.org/;
        description = "Cloudflare's certificate manager";
@ -20,4 +24,20 @@ buildGoPackage rec {
        license = licenses.bsd2;
        maintainers = with maintainers; [ johanot srhb ];
      };
    };
 in
 {
  certmgr = generic {};
  certmgr-selfsigned = generic {
    # The following patch makes it possible to use a self-signed x509 cert
    # for the cfssl apiserver.
    # TODO: remove patch when PR is merged.
    patches = [
      (fetchpatch {
        url    = "https://github.com/cloudflare/certmgr/pull/51.patch";
        sha256 = "0jhsw159d2mgybvbbn6pmvj4yqr5cwcal5fjwkcn9m4f4zlb6qrs";
      })
    ];
  };
 }
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -1821,7 +1821,8 @@ in
  };
  ceph-dev = ceph;
-  certmgr = callPackage ../tools/security/certmgr { };
+  inherit (callPackages ../tools/security/certmgr { })
    certmgr certmgr-selfsigned;
  cfdg = callPackage ../tools/graphics/cfdg { };