nixos/step-ca: Adding module for step-ca #97225
Conversation
|
Planning to add documentation later today. |
ofborg
bot
added
6.topic: nixos
ofborg
bot
added
10.rebuild-darwin: 0
| description = "Port to listen on."; | ||
| }; | ||
| passwordFile = lib.mkOption { | ||
| type = lib.types.str; |
There was a problem hiding this comment.
lib.types.path is preferred for filesystem paths. https://nixos.org/manual/nixos/stable/index.html#sec-option-types-basic
| address = lib.mkOption { | ||
| type = lib.types.str; | ||
| default = ""; | ||
| description = "Address to listen at, defaults to all interfaces."; |
There was a problem hiding this comment.
An example should be added here to indicate the expected format:
example = "localhost";
| }; | ||
| name = lib.mkOption { | ||
| type = lib.types.str; | ||
| default = "SmallStep CA"; |
There was a problem hiding this comment.
A nitpick, but I think the "CA" part should be left out of the name because the resulting certificates would be named "Smallstep CA Root CA" and "Smallstep CA intermediate CA" otherwise.
| description = | ||
| "Path to file containing password of your first provisioner."; | ||
| }; | ||
| user = lib.mkOption { |
There was a problem hiding this comment.
This should be named provisioner as it would confuse people in two ways:
- The official docs refers to the option as "provisioner"
- The
useroption is commonly used throughout NixOS to refer to UNIX users
| user = lib.mkOption { | ||
| type = lib.types.str; | ||
| default = "admin"; | ||
| description = ""; |
There was a problem hiding this comment.
The description should be non-empty.
| description = ""; | |
| description = "The name of the first provisioner."; |
| ''; | ||
| serviceConfig = { | ||
| Type = "simple"; | ||
| ExecReload = "/run/current-system/sw/bin/kill -HUP $MAINPID"; |
There was a problem hiding this comment.
Specifying the exact package is preferred instead of relying on a global path.
| ExecReload = "/run/current-system/sw/bin/kill -HUP $MAINPID"; | |
| ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
| description = "Address to listen at, defaults to all interfaces."; | ||
| }; | ||
| port = lib.mkOption { | ||
| type = lib.types.int; |
There was a problem hiding this comment.
lib.types.port is preferred for ports. https://nixos.org/manual/nixos/stable/index.html#sec-option-types-basic
| }; | ||
| user = lib.mkOption { | ||
| type = lib.types.str; | ||
| default = "admin"; |
There was a problem hiding this comment.
A nit, but I think we should stick to the official example as the default. https://smallstep.com/docs/step-ca/getting-started
| default = "admin"; | |
| default = "you@smallstep.com"; |
| }; | ||
| port = lib.mkOption { | ||
| type = lib.types.int; | ||
| default = 9075; |
There was a problem hiding this comment.
I think we should stick to the official example here too. https://smallstep.com/docs/step-ca/getting-started
| default = 9075; | |
| default = 8443; |
| serviceConfig = { | ||
| Type = "simple"; | ||
| ExecReload = "/run/current-system/sw/bin/kill -HUP $MAINPID"; | ||
| PIDFile = "step-ca.pid"; |
There was a problem hiding this comment.
Another nit, but this should be unnecessary for Type = simple services. Users can explicitly enable this by manually specifying systemd.services.step-ca.serviceConfig.PIDFile in their NixOS configuration instead.
|
@midchildan All good points thanks! Planning to spend a bit of time fixing these nits up tomorrow, just been swamped at work. |
|
@Church- don't you also need to add: diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 1ccfba68453..ff8798c133e 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -836,6 +836,7 @@
./services/security/shibboleth-sp.nix
./services/security/sks.nix
./services/security/sshguard.nix
+ ./services/security/step-ca.nix
./services/security/tor.nix
./services/security/torify.nix
./services/security/torsocks.nix(Also adressing the feedback would probably be nice). |
|
Since #112322 was merged, can we close this one? |
|
I believe so. |
nixos: Adding module for step-ca, set up by default to allow for both regular x.509 certs and SSH certs as well.
Motivation for this change
There wasn't already a module, and having an easily set up root CA is something I've found to be fairly useful.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)