public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #45567 from johanot/certmgr-rootca-patch

Browse Source 
certmgr: Add patch for optional trust of self-signed certificates at remote cfssl apiserver
This commit is contained in:
Franz Pletz 2019-01-30 17:37:42 +00:00 committed by GitHub
commit 72f324dbc7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 48 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
nixos/modules/services/security/certmgr.nix
View File

@ -30,13 +30,20 @@ let
preStart = '' preStart = ''
${concatStringsSep " \\\n" (["mkdir -p"] ++ map escapeShellArg specPaths)} ${concatStringsSep " \\\n" (["mkdir -p"] ++ map escapeShellArg specPaths)}
${pkgs.certmgr}/bin/certmgr -f ${certmgrYaml} check ${cfg.package}/bin/certmgr -f ${certmgrYaml} check
''; '';
in in
{ {
options.services.certmgr = { options.services.certmgr = {
enable = mkEnableOption "certmgr"; enable = mkEnableOption "certmgr";
package = mkOption {
type = types.package;
default = pkgs.certmgr;
defaultText = "pkgs.certmgr";
description = "Which certmgr package to use in the service.";
};
defaultRemote = mkOption { defaultRemote = mkOption {
type = types.str; type = types.str;
default = "127.0.0.1:8888"; default = "127.0.0.1:8888";
@ -187,7 +194,7 @@ in
serviceConfig = { serviceConfig = {
Restart = "always"; Restart = "always";
RestartSec = "10s"; RestartSec = "10s";
ExecStart = "${pkgs.certmgr}/bin/certmgr -f ${certmgrYaml}"; ExecStart = "${cfg.package}/bin/certmgr -f ${certmgrYaml}";
}; };
}; };
}; };

54
pkgs/tools/security/certmgr/default.nix
View File

@ -1,23 +1,43 @@
{ stdenv, buildGoPackage, fetchFromGitHub }: { stdenv, buildGoPackage, fetchFromGitHub, fetchpatch }:
buildGoPackage rec { let
version = "1.6.1"; generic = { patches ? [] }:
name = "certmgr-${version}"; buildGoPackage rec {
version = "1.6.1";
name = "certmgr-${version}";
goPackagePath = "github.com/cloudflare/certmgr/"; goPackagePath = "github.com/cloudflare/certmgr/";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "cloudflare"; owner = "cloudflare";
repo = "certmgr"; repo = "certmgr";
rev = "v${version}"; rev = "v${version}";
sha256 = "1ky2pw1wxrb2fxfygg50h0mid5l023x6xz9zj5754a023d01qqr2"; sha256 = "1ky2pw1wxrb2fxfygg50h0mid5l023x6xz9zj5754a023d01qqr2";
}; };
meta = with stdenv.lib; { inherit patches;
homepage = https://cfssl.org/;
description = "Cloudflare's certificate manager"; meta = with stdenv.lib; {
platforms = platforms.linux; homepage = https://cfssl.org/;
license = licenses.bsd2; description = "Cloudflare's certificate manager";
maintainers = with maintainers; [ johanot srhb ]; platforms = platforms.linux;
license = licenses.bsd2;
maintainers = with maintainers; [ johanot srhb ];
};
};
in
{
certmgr = generic {};
certmgr-selfsigned = generic {
# The following patch makes it possible to use a self-signed x509 cert
# for the cfssl apiserver.
# TODO: remove patch when PR is merged.
patches = [
(fetchpatch {
url = "https://github.com/cloudflare/certmgr/pull/51.patch";
sha256 = "0jhsw159d2mgybvbbn6pmvj4yqr5cwcal5fjwkcn9m4f4zlb6qrs";
})
];
}; };
} }

3
pkgs/top-level/all-packages.nix
View File

@ -1821,7 +1821,8 @@ in
}; };
ceph-dev = ceph; ceph-dev = ceph;
certmgr = callPackage ../tools/security/certmgr { }; inherit (callPackages ../tools/security/certmgr { })
certmgr certmgr-selfsigned;
cfdg = callPackage ../tools/graphics/cfdg { }; cfdg = callPackage ../tools/graphics/cfdg { };