add generate-secrets pkg

generate-secrets.sh will also be used in generate-secrets.nix, so DRY
its dependency definitions.

pkgs/default.nix

@@ -9,4 +9,5 @@
   hwi = pkgs.callPackage ./hwi { };
   pylightning = pkgs.python3Packages.callPackage ./pylightning { };
   liquid-swap = pkgs.python3Packages.callPackage ./liquid-swap { };
+  generate-secrets = pkgs.callPackage ./generate-secrets { };
 }

pkgs/generate-secrets/default.nix

@@ -0,0 +1,6 @@
+{ pkgs }: with pkgs;
+
+writeScript "generate-secrets" ''
+  export PATH=${lib.makeBinPath [ coreutils apg openssl ]}
+  . ${./generate-secrets.sh} ${./openssl.cnf}
+''

pkgs/generate-secrets/generate-secrets.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+opensslConf=${1:-openssl.cnf}
+secretsFile=secrets.nix
+
+if [ ! -e "$secretsFile" ]; then
+    echo Write secrets to $secretsFile
+    makepw="apg -m 20 -x 20 -M Ncl -n 1"
+    {
+        echo \{
+        echo "  bitcoinrpcpassword = \"$($makepw)\";"
+        echo "  lnd-wallet-password = \"$($makepw)\";"
+        echo "  lightning-charge-api-token = \"$($makepw)\";"
+        echo "  liquidrpcpassword = \"$($makepw)\";"
+        echo "  spark-wallet-password = \"$($makepw)\";"
+        echo \}
+    } >> $secretsFile
+    echo Done
+else
+    echo $secretsFile already exists. Skipping.
+fi
+
+if [ ! -e nginx.key ] || [ ! -e nginx.cert ]; then
+    echo Generate Nginx Self-Signed Cert
+    openssl genrsa -out nginx.key 2048
+    openssl req -new -key nginx.key -out nginx.csr -subj "/C=KN"
+    openssl x509 -req -days 1825 -in nginx.csr -signkey nginx.key -out nginx.cert
+    rm nginx.csr
+    echo Done
+else
+    echo Nginx Cert already exists. Skipping.
+fi
+
+if [ ! -e lnd.key ] || [ ! -e lnd.cert ]; then
+    echo Generate LND compatible TLS Cert
+    openssl ecparam -genkey -name prime256v1 -out lnd.key
+    openssl req -config $opensslConf -new -sha256 -key lnd.key -out lnd.csr -subj '/CN=localhost/O=lnd'
+    openssl req -config $opensslConf -x509 -sha256 -days 1825 -key lnd.key -in lnd.csr -out lnd.cert
+    rm lnd.csr
+    echo Done
+else
+    echo LND cert already exists. Skipping.
+fi

pkgs/generate-secrets/openssl.cnf

@@ -0,0 +1,32 @@
+[ req ]
+#default_bits		= 2048
+#default_md		= sha256
+#default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions         = v3_ca
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_min			= 2
+countryName_max			= 2
+stateOrProvinceName		= State or Province Name (full name)
+localityName			= Locality Name (eg, city)
+0.organizationName		= Organization Name (eg, company)
+organizationalUnitName		= Organizational Unit Name (eg, section)
+commonName			= Common Name (eg, fully qualified host name)
+commonName_max			= 64
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+[ v3_ca ]
+subjectAltName			= @alt_names
+
+[ alt_names ]
+IP.1 = 127.0.0.1
+DNS.1 = localhost