Merge pull request #45567 from johanot/certmgr-rootca-patch

certmgr: Add patch for optional trust of self-signed certificates at remote cfssl apiserver
2024-11-27 01:13:05 +00:00 · 2019-01-30 17:37:42 +00:00 · 2019-01-30 17:37:42 +00:00 · 72f324dbc7
commit 72f324dbc7
parent 5b622c115d 4602b43a33
3 changed files with 48 additions and 20 deletions
--- a/nixos/modules/services/security/certmgr.nix
+++ b/nixos/modules/services/security/certmgr.nix
@ -30,13 +30,20 @@ let

  preStart = ''
    ${concatStringsSep " \\\n" (["mkdir -p"] ++ map escapeShellArg specPaths)}
-    ${pkgs.certmgr}/bin/certmgr -f ${certmgrYaml} check
+    ${cfg.package}/bin/certmgr -f ${certmgrYaml} check
  '';
 in
 {
  options.services.certmgr = {
    enable = mkEnableOption "certmgr";

+    package = mkOption {
+      type = types.package;
+      default = pkgs.certmgr;
+      defaultText = "pkgs.certmgr";
+      description = "Which certmgr package to use in the service.";
+    };
+
    defaultRemote = mkOption {
      type = types.str;
      default = "127.0.0.1:8888";
@ -187,7 +194,7 @@ in
      serviceConfig = {
        Restart = "always";
        RestartSec = "10s";
-        ExecStart = "${pkgs.certmgr}/bin/certmgr -f ${certmgrYaml}";
+        ExecStart = "${cfg.package}/bin/certmgr -f ${certmgrYaml}";
      };
    };
  };
--- a/pkgs/tools/security/certmgr/default.nix
+++ b/pkgs/tools/security/certmgr/default.nix
@ -1,23 +1,43 @@
-{ stdenv, buildGoPackage, fetchFromGitHub }:
+{ stdenv, buildGoPackage, fetchFromGitHub, fetchpatch }:

-buildGoPackage rec {
-  version = "1.6.1";
-  name = "certmgr-${version}";
+let
+  generic = { patches ? [] }:
+    buildGoPackage rec {
+      version = "1.6.1";
+      name = "certmgr-${version}";

-  goPackagePath = "github.com/cloudflare/certmgr/";
+      goPackagePath = "github.com/cloudflare/certmgr/";

-  src = fetchFromGitHub {
-    owner = "cloudflare";
-    repo = "certmgr";
-    rev = "v${version}";
-    sha256 = "1ky2pw1wxrb2fxfygg50h0mid5l023x6xz9zj5754a023d01qqr2";
-  };
+      src = fetchFromGitHub {
+        owner = "cloudflare";
+        repo = "certmgr";
+        rev = "v${version}";
+        sha256 = "1ky2pw1wxrb2fxfygg50h0mid5l023x6xz9zj5754a023d01qqr2";
+      };

-  meta = with stdenv.lib; {
-    homepage = https://cfssl.org/;
-    description = "Cloudflare's certificate manager";
-    platforms = platforms.linux;
-    license = licenses.bsd2;
-    maintainers = with maintainers; [ johanot srhb ];
+      inherit patches;
+
+      meta = with stdenv.lib; {
+        homepage = https://cfssl.org/;
+        description = "Cloudflare's certificate manager";
+        platforms = platforms.linux;
+        license = licenses.bsd2;
+        maintainers = with maintainers; [ johanot srhb ];
+      };
+    };
+in
+{
+  certmgr = generic {};
+
+  certmgr-selfsigned = generic {
+    # The following patch makes it possible to use a self-signed x509 cert
+    # for the cfssl apiserver.
+    # TODO: remove patch when PR is merged.
+    patches = [
+      (fetchpatch {
+        url    = "https://github.com/cloudflare/certmgr/pull/51.patch";
+        sha256 = "0jhsw159d2mgybvbbn6pmvj4yqr5cwcal5fjwkcn9m4f4zlb6qrs";
+      })
+    ];
  };
 }
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -1821,7 +1821,8 @@ in
  };
  ceph-dev = ceph;

-  certmgr = callPackage ../tools/security/certmgr { };
+  inherit (callPackages ../tools/security/certmgr { })
+    certmgr certmgr-selfsigned;

  cfdg = callPackage ../tools/graphics/cfdg { };