add after option to cert client

This commit is contained in:
James Andariese 2022-10-19 16:53:20 -05:00
parent 264dde6b1f
commit d915ad840d

View File

@ -16,7 +16,7 @@ let cfg = config.security.cascade-certs;
}; };
}; };
confToService = n: {enabled, readers, minSecondsRemaining, readerGroups, vaultPkiRole, vaultPkiPath, issueOptions, ...}@opts: mkIf enabled { confToService = n: {enabled, after, readers, minSecondsRemaining, readerGroups, vaultPkiRole, vaultPkiPath, issueOptions, ...}@opts: mkIf enabled {
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
}; };
@ -25,9 +25,8 @@ let cfg = config.security.cascade-certs;
certFolder = "${cfg.destination}/${n}"; certFolder = "${cfg.destination}/${n}";
caFolder = "${cfg.destination}/@trust"; caFolder = "${cfg.destination}/@trust";
in '' in ''
set -x
PATH="${pkgs.curl}/bin:${pkgs.coreutils}/bin:${pkgs.jq}/bin:${pkgs.openssl}/bin:${pkgs.acl}/bin:$PATH" PATH="${pkgs.curl}/bin:${pkgs.coreutils}/bin:${pkgs.jq}/bin:${pkgs.openssl}/bin:${pkgs.acl}/bin:$PATH"
if [ -r ${shq certFolder}/cert.pem ] \ if [ -r ${shq certFolder}/cert.pem ] \
&& [ -h ${shq certFolder}/current ] \ && [ -h ${shq certFolder}/current ] \
&& openssl x509 -checkend ${shq minSecondsRemaining} -in ${shq certFolder}/cert.pem ;then && openssl x509 -checkend ${shq minSecondsRemaining} -in ${shq certFolder}/cert.pem ;then
@ -109,6 +108,8 @@ let cfg = config.security.cascade-certs;
fi fi
rm -rf "$f" rm -rf "$f"
done done
${after}
''; '';
}; };
@ -258,6 +259,13 @@ options = with types; {
default = null; default = null;
}; };
after = mkOption {
type = lines;
description = ''
A script which will be run after a new certificate is written.
'';
default = "";
};
names = mkOption { names = mkOption {
type = listOf str; type = listOf str;
description = '' description = ''