117 lines
4.1 KiB
Nix
117 lines
4.1 KiB
Nix
{ lib, config, ... }:
|
|
let
|
|
cfg = config.khscodes.vault;
|
|
in
|
|
{
|
|
options.khscodes.vault = {
|
|
pki_secret_backend_root_cert = lib.mkOption {
|
|
type = lib.types.attrsOf (
|
|
lib.khscodes.mkSubmodule {
|
|
options = {
|
|
backend = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Path of the backend";
|
|
default = "pki";
|
|
};
|
|
type = lib.mkOption {
|
|
type = lib.types.enum [
|
|
"exported"
|
|
"internal"
|
|
"kms"
|
|
];
|
|
description = "Type of intermediate to create. Must be either \"exported\", \"internal\" or \"kms\"";
|
|
};
|
|
common_name = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "CN of intermediate to create";
|
|
};
|
|
ttl = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "TTL for the root certificate, in seconds";
|
|
default = "315360000";
|
|
};
|
|
key_type = lib.mkOption {
|
|
type = lib.types.enum [
|
|
"rsa"
|
|
"ed25519"
|
|
"ec"
|
|
];
|
|
description = "Specifies the desired key type; must be rsa, ed25519 or ec.";
|
|
default = "ed25519";
|
|
};
|
|
issuer_name = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
description = "Name's the issuer when signing new certificates";
|
|
};
|
|
};
|
|
description = "vault_pki_secret_backend_root_cert";
|
|
}
|
|
);
|
|
description = "Generates a new self-signed CA certificate and private keys for the PKI Secret Backend.";
|
|
default = { };
|
|
};
|
|
pki_secret_backend_role = lib.mkOption {
|
|
type = lib.types.attrsOf (
|
|
lib.khscodes.mkSubmodule {
|
|
options = {
|
|
backend = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Path of the backend";
|
|
default = "pki";
|
|
};
|
|
name = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "The name to identify this role within the backend. Must be unique within the backend.";
|
|
};
|
|
allowed_domains = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
description = "List of allowed domains for certificates";
|
|
};
|
|
enforce_hostnames = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.bool;
|
|
default = null;
|
|
description = "Flag to allow only valid host names";
|
|
};
|
|
allow_bare_domains = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.bool;
|
|
default = null;
|
|
description = "Flag to allow certificates matching the actual domain";
|
|
};
|
|
server_flag = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.bool;
|
|
default = null;
|
|
description = "Flag to specify certificates for server use";
|
|
};
|
|
client_flag = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.bool;
|
|
default = null;
|
|
description = "Flag to specify certificates for client use";
|
|
};
|
|
key_type = lib.mkOption {
|
|
type = lib.types.enum [
|
|
"rsa"
|
|
"ed25519"
|
|
"ec"
|
|
];
|
|
description = "Specifies the desired key type; must be rsa, ed25519 or ec.";
|
|
default = "ed25519";
|
|
};
|
|
};
|
|
description = "vault_pki_secret_backend_role";
|
|
}
|
|
);
|
|
default = { };
|
|
};
|
|
};
|
|
config = lib.mkIf cfg.enable {
|
|
resource.vault_pki_secret_backend_root_cert = lib.mapAttrs' (name: value: {
|
|
name = lib.khscodes.sanitize-terraform-name name;
|
|
value = value;
|
|
}) cfg.pki_secret_backend_root_cert;
|
|
resource.vault_pki_secret_backend_role = lib.mapAttrs' (name: value: {
|
|
name = lib.khscodes.sanitize-terraform-name name;
|
|
value = value;
|
|
}) cfg.pki_secret_backend_role;
|
|
};
|
|
}
|