sid/sid.ovh
1
0
Fork 0
Code Issues 3 Pull requests 2 Projects Releases Packages Wiki Activity Actions

Merge pull request 'step-ca' (#22) from step-ca into develop
All checks were successful
Build hosts / build-hosts (pull_request) Successful in 21s
Details
Flake check / flake-check (pull_request) Successful in 20s
Details

Browse source 
Reviewed-on: #22
This commit is contained in:
sid 2026-04-18 23:40:10 +02:00
commit 4ad7efb3db
12 changed files with 185 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

12
certs/intermediate_ca.crt Normal file
View file

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB2TCCAX6gAwIBAgIQQkLUt4eUkj1iHx/bSnS7CTAKBggqhkjOPQQDAjA2MRUw
EwYDVQQKEwxzaWQtaW50ZXJuYWwxHTAbBgNVBAMTFHNpZC1pbnRlcm5hbCBSb290
IENBMB4XDTI2MDQxODIwMzkwM1oXDTM2MDQxNTIwMzkwM1owPjEVMBMGA1UEChMM
c2lkLWludGVybmFsMSUwIwYDVQQDExxzaWQtaW50ZXJuYWwgSW50ZXJtZWRpYXRl
IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEARbL4O6VO4zrlXGTIQtf20A5
BuytQgR99rUnWxQOXay1hyPyVeXAFyKWFyQ/vJNHRrMw8TjY829wWkxjFrAj66Nm
MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYE
FCt20qDkibwOESQ4yUBDmh0m0MX4MB8GA1UdIwQYMBaAFFqIEAJENmQdkxT3Lxix
QXhY8H7lMAoGCCqGSM49BAMCA0kAMEYCIQCwrStylYQB2hV2VifA8erEJQCFwPZ+
jwcUHAZBKHBb7gIhAIfWurRwLLoXfsx5Ri1rY2JrVVnfPuENqMMcAlOHz/8J
-----END CERTIFICATE-----

12
certs/root_ca.crt Normal file
View file

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBrzCCAVWgAwIBAgIQDV0M0pLkCXvARpa+ipSx8jAKBggqhkjOPQQDAjA2MRUw
EwYDVQQKEwxzaWQtaW50ZXJuYWwxHTAbBgNVBAMTFHNpZC1pbnRlcm5hbCBSb290
IENBMB4XDTI2MDQxODIwMzkwMloXDTM2MDQxNTIwMzkwMlowNjEVMBMGA1UEChMM
c2lkLWludGVybmFsMR0wGwYDVQQDExRzaWQtaW50ZXJuYWwgUm9vdCBDQTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABCH2VmIwKEjdma4UymD7RWuGcaT2algrL5nm
TE0NzP8giezdU9bEP487AvUPPibSYDWxdp4ycbl6qNVTiy29xkmjRTBDMA4GA1Ud
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRaiBACRDZk
HZMU9y8YsUF4WPB+5TAKBggqhkjOPQQDAgNIADBFAiAh+b49V2VTnT6nRCRM0Qwq
ruzayrrnmF7pIxi9PVFwBQIhANQsL3ok4gCTRAnT0mUXSyWexzSESZ1lkpLYiyoj
RgLi
-----END CERTIFICATE-----

3
constants.nix
View file

@ -1,6 +1,7 @@
rec { rec {
domain = "sid.ovh"; domain = "sid.ovh";
intranet = "intra." + domain; intranet = "i." + domain;
ca-fqdn = "ca." + intranet;
hosts = { hosts = {
sid = { sid = {
ip = "100.64.0.6"; ip = "100.64.0.6";

7
hosts/sid/secrets/secrets.yaml
View file

@ -32,6 +32,9 @@ mailserver:
vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str] vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str]
radicale: radicale:
sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str] sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str]
step-ca:
password: ENC[AES256_GCM,data:8/6NA3WpII0LmDOp5ISnHKeaXn5LM4gpiI47JTso23c=,iv:fi2eMGG1lOwdK5+98Hp7vZ101GKRip5Xgq9k+vnC9yI=,tag:oENvvsEbKSHFfLoXcJlPkg==,type:str]
intermediate-key: ENC[AES256_GCM,data:yGZLSd7ydx9wNFpWWPcyUBwZQZbyziGleCWSxurFniBCauw2h4hcPc4c4I/7cjl1vRUv41WfzWu1PtXnZ3lNHOC6tTbiikHFBgGiHk2Lhddx+NESUWmgNiejJR/UDW4T25W9OHxwLCV9pmHf4fjyT/REymGIB7kbcRryWqcWtoZWYaL7JooJornm5mMU1Be+MCfxusTGQA4gQsT5/bu20iEGPwgY3fEgZLQWzKFI2kD2lYlMC8CRxoZO32uTizzooW1+zKng1qSZ7aobFJsbSKRYpYDv9Vvfwltcczb+xo+yZL3pfoEiqAxPzeG/48lRVNf1nftM5esBRGIIPr9BV9+7fbe5DFbSRDtAWspEnp9R5ENj1rbNint/fjCcStg3OfFMdv6N8cQyIpQyHCiBLiG4z+xyFcn0iW4=,iv:BhUoeaoetI5vJk9wOHhBI2ebHWCPeXz8U2ta/xEeUxM=,tag:7xg5ilOSJP1rFlSmmZVZUg==,type:str]
sops: sops:
age: age:
- recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
@ -52,7 +55,7 @@ sops:
RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB
UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg== UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-15T22:25:00Z" lastmodified: "2026-04-18T20:48:28Z"
mac: ENC[AES256_GCM,data:/Y68+WlI/BykmwajvluW1EiCfzdfIJe+nDwstqusqhwhc7h5exD5xuuU9CB0lcUGwODwrIfWECWLLhJfn86/Wc2WDT2yinIj89mik/rRB0klMx75v0w1v6vxiYuQU0WHPtajDuuaMTo1QxJFczZt0RVPtDPwmVip5EEQpNsqzig=,iv:gWqFTUP7PAk5QzRfKFpTD5iCdneciih0HM8am8+TS/8=,tag:E1QY6PnM3oFZm/qfrL/8dg==,type:str] mac: ENC[AES256_GCM,data:RDhfanP4bN68/gVivoDxxOI4r/Pdov4qI/dldmC+RBHg1kzwJsneLxEHS2KEQhtXwR8y22WJ62pIgLA7WZHdCSIqL6cbJ4V8ImQmlJHYVnaGrkgFdbzUFi8B15jRwHTywhC3+CdxoeppzGFFCUnHDbPWVfDaVXmgHeHRPJoQHck=,iv:+pAAtvwPJz0PRIeywt9GhQL8P57cCy6hhOgoUGjIexc=,tag:d7h2XdPmkdnJd9j65llFsw==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.1 version: 3.12.1

32
hosts/sid/services/coredns.nix Normal file
View file

@ -0,0 +1,32 @@
{ constants, ... }:
{
services.resolved.enable = false;
networking.resolvconf.enable = false;
networking.nameservers = [ constants.hosts.sid.ip ];
services.coredns = {
enable = true;
config = with constants; ''
.:53 {
bind 127.0.0.1 ${hosts.sid.ip}
hosts {
${hosts.sid.ip} ${ca-fqdn}
${hosts.rx4.ip} ${services.vaultwarden.fqdn}
${hosts.rx4.ip} ${services.webdav.fqdn}
${hosts.rx4.ip} rx4.tail
${hosts.sid.ip} ${services.netdata.fqdn}
${hosts.sid.ip} sid.tail
${hosts.vde.ip} vde.tail
fallthrough
}
forward . 1.1.1.1
cache
log
errors
}
'';
};
}

2
hosts/sid/services/default.nix
View file

@ -10,11 +10,13 @@
outputs.nixosModules.tailscale outputs.nixosModules.tailscale
./coredns.nix
./headscale.nix ./headscale.nix
./mailserver.nix ./mailserver.nix
./matrix-synapse.nix ./matrix-synapse.nix
./netdata.nix ./netdata.nix
./nginx.nix ./nginx.nix
./radicale.nix ./radicale.nix
./step-ca.nix
]; ];
} }

2
hosts/sid/services/headscale.nix
View file

@ -26,7 +26,7 @@
}; };
settings = { settings = {
dns = { dns = {
magic_dns = true; # NOTE: should coredns handle everything? magic_dns = true;
}; };
}; };
}; };

56
hosts/sid/services/nginx.nix
View file

@ -1,7 +1,6 @@
{ {
inputs, inputs,
constants, constants,
config,
lib, lib,
... ...
}: }:
@ -16,33 +15,6 @@ in
inputs.synix.nixosModules.nginx inputs.synix.nixosModules.nginx
]; ];
services.resolved.enable = false;
networking.resolvconf.enable = false;
networking.nameservers = [ constants.hosts.sid.ip ];
services.coredns = {
enable = true;
config = with constants; ''
.:53 {
bind 127.0.0.1 ${hosts.sid.ip}
hosts {
${hosts.rx4.ip} ${services.vaultwarden.fqdn}
${hosts.rx4.ip} ${services.webdav.fqdn}
${hosts.rx4.ip} rx4.tail
${hosts.sid.ip} ${services.netdata.fqdn}
${hosts.sid.ip} sid.tail
${hosts.vde.ip} vde.tail
fallthrough
}
forward . 1.1.1.1
cache
log
errors
}
'';
};
services.nginx = { services.nginx = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
@ -62,10 +34,10 @@ in
address = constants.hosts.rx4.ip; address = constants.hosts.rx4.ip;
port = constants.services.miniflux.port; port = constants.services.miniflux.port;
}; };
# virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost { virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
# inherit ssl; inherit ssl;
# port = constants.services.netdata.port; port = constants.services.netdata.port;
# }; };
virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost { virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost {
inherit ssl; inherit ssl;
address = constants.hosts.rx4.ip; address = constants.hosts.rx4.ip;
@ -83,16 +55,16 @@ in
address = constants.hosts.rx4.ip; address = constants.hosts.rx4.ip;
port = constants.services.rsshub-oci.port; port = constants.services.rsshub-oci.port;
}; };
# virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost { virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost {
# inherit ssl; inherit ssl;
# address = constants.hosts.rx4.ip; address = constants.hosts.rx4.ip;
# port = constants.services.vaultwarden.port; port = constants.services.vaultwarden.port;
# }; };
# virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost { virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
# inherit ssl; inherit ssl;
# address = constants.hosts.rx4.ip; address = constants.hosts.rx4.ip;
# port = constants.services.webdav.port; port = constants.services.webdav.port;
# }; };
# FIXME # FIXME
# virtualHosts."print.sid.ovh" = { # virtualHosts."print.sid.ovh" = {
# enableACME = true; # enableACME = true;

99
hosts/sid/services/step-ca.nix Normal file
View file

@ -0,0 +1,99 @@
{
constants,
config,
pkgs,
...
}:
let
cfg = config.services.step-ca;
in
{
services.step-ca = {
enable = true;
address = "127.0.0.1";
port = 8443;
openFirewall = true;
intermediatePasswordFile = config.sops.secrets."step-ca/password".path;
# nix-shell -p step-cli --run "step ca init"
settings = {
root = ../../../certs/root_ca.crt;
crt = ../../../certs/intermediate_ca.crt;
key = config.sops.secrets."step-ca/intermediate-key".path;
dnsNames = [
constants.ca-fqdn
constants.hosts.sid.ip
];
logger = {
format = "text";
};
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
};
authority = {
provisioners = [
{
type = "ACME";
name = "acme";
}
{
type = "JWK";
name = "sid@sid.ovh";
key = {
use = "sig";
kty = "EC";
kid = "w3fV4U-frlyTnBMg4yNYrLsn8_mY98H8HthoscpoVrg";
crv = "P-256";
alg = "ES256";
x = "KZCDecn4sb87T3UO6JsIzJVtr4Aa0UcYzYDNBUM6F7M";
y = "CbGHn9tXQbV0Ur2VuXITLnWgfxCRmKEoUdMUmrP9Qkw";
};
encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiZS1MUDhDYlE4dzVuMF9nUGhXOWtGdyJ9.rgsqo58rJFWaociSqiPg3E1alAeqoHWubJi4n2uoUFYp3YTWaYZzqA.6P6oimHsKGdCWruo.fNaDr50IXCtCe7W7VIXuS3rlfin_R0nogNpIJ9C6szYg8k10UylircUs14Zl1EHQ9lFeJovb1y1uljzBajMGkOAGlMvashrphVkXiSxHWKDhzbrItJx3qChLtSLJJtXiXPbJQKCAeBjztqPuTw6dI4Z6IR9---kiTvzF6I9KE8afGFlMSubGjr9FnqgiOb2JiZuTfcBGDx78puxdWzUrEEVlliHdv2agbKhY0b13x-obaTIWwlqLFbasv7kPneJ8Ggp7IHHr5uDcUrqVKkTfBrD0lelXm6SwJTHGMkty6inlwSflT9mxvkNq7OGV9triPQc8AGVv0c7t7dHoX_E.tSjJqttCS6zLI_-7zPdXNQ";
}
];
};
tls = {
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
];
minVersion = "1.2";
maxVersion = "1.3";
renegotiation = false;
};
};
};
environment.systemPackages = [
pkgs.step-cli
];
systemd.tmpfiles.rules = [
"d /var/lib/acme/acme-challenge 0755 acme nginx"
];
security.acme = {
certs."sid-internal" = {
domain = "*.${constants.intranet}";
server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory";
};
};
sops =
let
owner = "step-ca";
group = "step-ca";
mode = "0400";
in
{
secrets = {
"step-ca/password" = {
inherit owner group mode;
};
"step-ca/intermediate-key" = {
inherit owner group mode;
};
};
};
}

2
modules/nixos/common/default.nix
View file

@ -5,6 +5,8 @@
./nix.nix ./nix.nix
./overlays.nix ./overlays.nix
../pki
inputs.synix.nixosModules.device.server inputs.synix.nixosModules.device.server
]; ];

1
modules/nixos/default.nix
View file

@ -6,6 +6,7 @@
forgejo-runner = import ./forgejo-runner; forgejo-runner = import ./forgejo-runner;
gnome = import ./gnome; gnome = import ./gnome;
monero = import ./monero; monero = import ./monero;
pki = import ./pki;
rsshub-oci = import ./rsshub-oci; rsshub-oci = import ./rsshub-oci;
tailscale = import ./tailscale; tailscale = import ./tailscale;
xfce = import ./xfce; xfce = import ./xfce;

3
modules/nixos/pki/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
security.pki.certificateFiles = [ ../../../certs/root_ca.crt ];
}