Unverified Commit 8c51e99b authored by provokateurin's avatar provokateurin
Browse files

nixos/step-ca: Allow not configuring the intermediatePasswordFile 

It is not necessary for the intermediate certificate to have a password set,
but currently the intermediatePasswordFile value is always accessed to load the credential.
parent bf4eab3a

nixos/modules/services/security/step-ca.nix

+16 −6
Original line number Diff line number Diff line
@@ -55,10 +55,13 @@ in 
        '';

      };

      intermediatePasswordFile = lib.mkOption {

        type = lib.types.pathWith {

        type = lib.types.nullOr (

          lib.types.pathWith {

            inStore = false;

            absolute = true;

        };

          }

        );

        default = null;

        example = "/run/keys/smallstep-password";

        description = ''

          Path to the file containing the password for the intermediate
@@ -104,11 +107,18 @@ in 
          ReadWritePaths = ""; # override upstream



          # LocalCredential handles file permission problems arising from the use of DynamicUser.

          LoadCredential = "intermediate_password:${cfg.intermediatePasswordFile}";

          LoadCredential = lib.mkIf (

            cfg.intermediatePasswordFile != null

          ) "intermediate_password:${cfg.intermediatePasswordFile}";



          ExecStart = [

            "" # override upstream

            "${cfg.package}/bin/step-ca /etc/smallstep/ca.json --password-file \${CREDENTIALS_DIRECTORY}/intermediate_password"

            (

              "${cfg.package}/bin/step-ca /etc/smallstep/ca.json"

              + lib.optionalString (

                cfg.intermediatePasswordFile != null

              ) " --password-file \${CREDENTIALS_DIRECTORY}/intermediate_password"

            )

          ];



          # ProtectProc = "invisible"; # not supported by upstream yet