# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
  stdenv,
  openssl,
  k8s,
  key_name,
  ...
}:
stdenv.mkDerivation (finalAttrs: {
  name = "tls-key-${key_name}";
  nativeBuildInputs = [ openssl ];
  buildInputs = [ ];

  unpackPhase = "true";

  buildPhase = ''
    cp ${k8s.ca}/ca.crt ${k8s.ca}/ca.key ./

    openssl genrsa -out "${key_name}.key" 4096

    openssl req -new -key "${key_name}.key" -sha256 \
            -config "${../k8s-ca/files/ca.conf}" -section ${key_name} \
            -out "${key_name}.csr"

    openssl x509 -req -days 3653 -in "${key_name}.csr" \
            -copy_extensions copyall \
            -sha256 -CA "./ca.crt" \
            -CAkey "./ca.key" \
            -CAcreateserial \
            -out "${key_name}.crt"
  '';

  installPhase = ''
    mkdir "$out"
    cp "${key_name}.crt" "${key_name}.key" $out/
  '';
})