diff --git a/certs/intermediate_ca.crt b/certs/intermediate_ca.crt new file mode 100644 index 0000000..e2d8aba --- /dev/null +++ b/certs/intermediate_ca.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB2TCCAX6gAwIBAgIQQkLUt4eUkj1iHx/bSnS7CTAKBggqhkjOPQQDAjA2MRUw +EwYDVQQKEwxzaWQtaW50ZXJuYWwxHTAbBgNVBAMTFHNpZC1pbnRlcm5hbCBSb290 +IENBMB4XDTI2MDQxODIwMzkwM1oXDTM2MDQxNTIwMzkwM1owPjEVMBMGA1UEChMM +c2lkLWludGVybmFsMSUwIwYDVQQDExxzaWQtaW50ZXJuYWwgSW50ZXJtZWRpYXRl +IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEARbL4O6VO4zrlXGTIQtf20A5 +BuytQgR99rUnWxQOXay1hyPyVeXAFyKWFyQ/vJNHRrMw8TjY829wWkxjFrAj66Nm +MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYE +FCt20qDkibwOESQ4yUBDmh0m0MX4MB8GA1UdIwQYMBaAFFqIEAJENmQdkxT3Lxix +QXhY8H7lMAoGCCqGSM49BAMCA0kAMEYCIQCwrStylYQB2hV2VifA8erEJQCFwPZ+ +jwcUHAZBKHBb7gIhAIfWurRwLLoXfsx5Ri1rY2JrVVnfPuENqMMcAlOHz/8J +-----END CERTIFICATE----- diff --git a/certs/root_ca.crt b/certs/root_ca.crt new file mode 100644 index 0000000..44abf61 --- /dev/null +++ b/certs/root_ca.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAVWgAwIBAgIQDV0M0pLkCXvARpa+ipSx8jAKBggqhkjOPQQDAjA2MRUw +EwYDVQQKEwxzaWQtaW50ZXJuYWwxHTAbBgNVBAMTFHNpZC1pbnRlcm5hbCBSb290 +IENBMB4XDTI2MDQxODIwMzkwMloXDTM2MDQxNTIwMzkwMlowNjEVMBMGA1UEChMM +c2lkLWludGVybmFsMR0wGwYDVQQDExRzaWQtaW50ZXJuYWwgUm9vdCBDQTBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABCH2VmIwKEjdma4UymD7RWuGcaT2algrL5nm +TE0NzP8giezdU9bEP487AvUPPibSYDWxdp4ycbl6qNVTiy29xkmjRTBDMA4GA1Ud +DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRaiBACRDZk +HZMU9y8YsUF4WPB+5TAKBggqhkjOPQQDAgNIADBFAiAh+b49V2VTnT6nRCRM0Qwq +ruzayrrnmF7pIxi9PVFwBQIhANQsL3ok4gCTRAnT0mUXSyWexzSESZ1lkpLYiyoj +RgLi +-----END CERTIFICATE----- diff --git a/constants.nix b/constants.nix index cfa6d05..e38e39d 100644 --- a/constants.nix +++ b/constants.nix @@ -1,6 +1,7 @@ rec { domain = "sid.ovh"; - intranet = "intra." + domain; + intranet = "i." + domain; + ca-fqdn = "ca." + intranet; hosts = { sid = { ip = "100.64.0.6"; diff --git a/hosts/sid/secrets/secrets.yaml b/hosts/sid/secrets/secrets.yaml index 7d553c7..372dccc 100644 --- a/hosts/sid/secrets/secrets.yaml +++ b/hosts/sid/secrets/secrets.yaml @@ -32,6 +32,9 @@ mailserver: vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str] radicale: sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str] +step-ca: + password: ENC[AES256_GCM,data:8/6NA3WpII0LmDOp5ISnHKeaXn5LM4gpiI47JTso23c=,iv:fi2eMGG1lOwdK5+98Hp7vZ101GKRip5Xgq9k+vnC9yI=,tag:oENvvsEbKSHFfLoXcJlPkg==,type:str] + intermediate-key: ENC[AES256_GCM,data:yGZLSd7ydx9wNFpWWPcyUBwZQZbyziGleCWSxurFniBCauw2h4hcPc4c4I/7cjl1vRUv41WfzWu1PtXnZ3lNHOC6tTbiikHFBgGiHk2Lhddx+NESUWmgNiejJR/UDW4T25W9OHxwLCV9pmHf4fjyT/REymGIB7kbcRryWqcWtoZWYaL7JooJornm5mMU1Be+MCfxusTGQA4gQsT5/bu20iEGPwgY3fEgZLQWzKFI2kD2lYlMC8CRxoZO32uTizzooW1+zKng1qSZ7aobFJsbSKRYpYDv9Vvfwltcczb+xo+yZL3pfoEiqAxPzeG/48lRVNf1nftM5esBRGIIPr9BV9+7fbe5DFbSRDtAWspEnp9R5ENj1rbNint/fjCcStg3OfFMdv6N8cQyIpQyHCiBLiG4z+xyFcn0iW4=,iv:BhUoeaoetI5vJk9wOHhBI2ebHWCPeXz8U2ta/xEeUxM=,tag:7xg5ilOSJP1rFlSmmZVZUg==,type:str] sops: age: - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy @@ -52,7 +55,7 @@ sops: RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-15T22:25:00Z" - mac: ENC[AES256_GCM,data:/Y68+WlI/BykmwajvluW1EiCfzdfIJe+nDwstqusqhwhc7h5exD5xuuU9CB0lcUGwODwrIfWECWLLhJfn86/Wc2WDT2yinIj89mik/rRB0klMx75v0w1v6vxiYuQU0WHPtajDuuaMTo1QxJFczZt0RVPtDPwmVip5EEQpNsqzig=,iv:gWqFTUP7PAk5QzRfKFpTD5iCdneciih0HM8am8+TS/8=,tag:E1QY6PnM3oFZm/qfrL/8dg==,type:str] + lastmodified: "2026-04-18T20:48:28Z" + mac: ENC[AES256_GCM,data:RDhfanP4bN68/gVivoDxxOI4r/Pdov4qI/dldmC+RBHg1kzwJsneLxEHS2KEQhtXwR8y22WJ62pIgLA7WZHdCSIqL6cbJ4V8ImQmlJHYVnaGrkgFdbzUFi8B15jRwHTywhC3+CdxoeppzGFFCUnHDbPWVfDaVXmgHeHRPJoQHck=,iv:+pAAtvwPJz0PRIeywt9GhQL8P57cCy6hhOgoUGjIexc=,tag:d7h2XdPmkdnJd9j65llFsw==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1 diff --git a/hosts/sid/services/coredns.nix b/hosts/sid/services/coredns.nix new file mode 100644 index 0000000..0d8e036 --- /dev/null +++ b/hosts/sid/services/coredns.nix @@ -0,0 +1,32 @@ +{ constants, ... }: + +{ + services.resolved.enable = false; + networking.resolvconf.enable = false; + + networking.nameservers = [ constants.hosts.sid.ip ]; + + services.coredns = { + enable = true; + config = with constants; '' + .:53 { + bind 127.0.0.1 ${hosts.sid.ip} + hosts { + ${hosts.sid.ip} ${ca-fqdn} + + ${hosts.rx4.ip} ${services.vaultwarden.fqdn} + ${hosts.rx4.ip} ${services.webdav.fqdn} + ${hosts.rx4.ip} rx4.tail + ${hosts.sid.ip} ${services.netdata.fqdn} + ${hosts.sid.ip} sid.tail + ${hosts.vde.ip} vde.tail + fallthrough + } + forward . 1.1.1.1 + cache + log + errors + } + ''; + }; +} diff --git a/hosts/sid/services/default.nix b/hosts/sid/services/default.nix index 42e8eed..c753168 100644 --- a/hosts/sid/services/default.nix +++ b/hosts/sid/services/default.nix @@ -10,6 +10,7 @@ outputs.nixosModules.tailscale + ./coredns.nix ./headscale.nix ./mailserver.nix ./matrix-synapse.nix diff --git a/hosts/sid/services/headscale.nix b/hosts/sid/services/headscale.nix index 3faf0b0..347a202 100644 --- a/hosts/sid/services/headscale.nix +++ b/hosts/sid/services/headscale.nix @@ -26,7 +26,7 @@ }; settings = { dns = { - magic_dns = true; # NOTE: should coredns handle everything? + magic_dns = true; }; }; }; diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix index 0014748..afbc5e0 100644 --- a/hosts/sid/services/nginx.nix +++ b/hosts/sid/services/nginx.nix @@ -1,7 +1,6 @@ { inputs, constants, - config, lib, ... }: @@ -16,33 +15,6 @@ in inputs.synix.nixosModules.nginx ]; - services.resolved.enable = false; - networking.resolvconf.enable = false; - - networking.nameservers = [ constants.hosts.sid.ip ]; - - services.coredns = { - enable = true; - config = with constants; '' - .:53 { - bind 127.0.0.1 ${hosts.sid.ip} - hosts { - ${hosts.rx4.ip} ${services.vaultwarden.fqdn} - ${hosts.rx4.ip} ${services.webdav.fqdn} - ${hosts.rx4.ip} rx4.tail - ${hosts.sid.ip} ${services.netdata.fqdn} - ${hosts.sid.ip} sid.tail - ${hosts.vde.ip} vde.tail - fallthrough - } - forward . 1.1.1.1 - cache - log - errors - } - ''; - }; - services.nginx = { enable = true; openFirewall = true; @@ -62,10 +34,10 @@ in address = constants.hosts.rx4.ip; port = constants.services.miniflux.port; }; - # virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost { - # inherit ssl; - # port = constants.services.netdata.port; - # }; + virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost { + inherit ssl; + port = constants.services.netdata.port; + }; virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost { inherit ssl; address = constants.hosts.rx4.ip; @@ -83,16 +55,16 @@ in address = constants.hosts.rx4.ip; port = constants.services.rsshub-oci.port; }; - # virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost { - # inherit ssl; - # address = constants.hosts.rx4.ip; - # port = constants.services.vaultwarden.port; - # }; - # virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost { - # inherit ssl; - # address = constants.hosts.rx4.ip; - # port = constants.services.webdav.port; - # }; + virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost { + inherit ssl; + address = constants.hosts.rx4.ip; + port = constants.services.vaultwarden.port; + }; + virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost { + inherit ssl; + address = constants.hosts.rx4.ip; + port = constants.services.webdav.port; + }; # FIXME # virtualHosts."print.sid.ovh" = { # enableACME = true; diff --git a/hosts/sid/services/step-ca.nix b/hosts/sid/services/step-ca.nix index 9edd436..396f7c6 100644 --- a/hosts/sid/services/step-ca.nix +++ b/hosts/sid/services/step-ca.nix @@ -1,17 +1,28 @@ -{ config, pkgs, ... }: +{ + constants, + config, + pkgs, + ... +}: +let + cfg = config.services.step-ca; +in { services.step-ca = { enable = true; address = "127.0.0.1"; port = 8443; + openFirewall = true; intermediatePasswordFile = config.sops.secrets."step-ca/password".path; + # nix-shell -p step-cli --run "step ca init" settings = { - root = ./internal-root-ca.crt; - crt = ./internal-intermediate.crt; + root = ../../../certs/root_ca.crt; + crt = ../../../certs/intermediate_ca.crt; key = config.sops.secrets."step-ca/intermediate-key".path; dnsNames = [ - "ca.intra.sid.ovh" + constants.ca-fqdn + constants.hosts.sid.ip ]; logger = { format = "text"; @@ -26,6 +37,20 @@ type = "ACME"; name = "acme"; } + { + type = "JWK"; + name = "sid@sid.ovh"; + key = { + use = "sig"; + kty = "EC"; + kid = "w3fV4U-frlyTnBMg4yNYrLsn8_mY98H8HthoscpoVrg"; + crv = "P-256"; + alg = "ES256"; + x = "KZCDecn4sb87T3UO6JsIzJVtr4Aa0UcYzYDNBUM6F7M"; + y = "CbGHn9tXQbV0Ur2VuXITLnWgfxCRmKEoUdMUmrP9Qkw"; + }; + encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiZS1MUDhDYlE4dzVuMF9nUGhXOWtGdyJ9.rgsqo58rJFWaociSqiPg3E1alAeqoHWubJi4n2uoUFYp3YTWaYZzqA.6P6oimHsKGdCWruo.fNaDr50IXCtCe7W7VIXuS3rlfin_R0nogNpIJ9C6szYg8k10UylircUs14Zl1EHQ9lFeJovb1y1uljzBajMGkOAGlMvashrphVkXiSxHWKDhzbrItJx3qChLtSLJJtXiXPbJQKCAeBjztqPuTw6dI4Z6IR9---kiTvzF6I9KE8afGFlMSubGjr9FnqgiOb2JiZuTfcBGDx78puxdWzUrEEVlliHdv2agbKhY0b13x-obaTIWwlqLFbasv7kPneJ8Ggp7IHHr5uDcUrqVKkTfBrD0lelXm6SwJTHGMkty6inlwSflT9mxvkNq7OGV9triPQc8AGVv0c7t7dHoX_E.tSjJqttCS6zLI_-7zPdXNQ"; + } ]; }; tls = { @@ -44,6 +69,17 @@ pkgs.step-cli ]; + systemd.tmpfiles.rules = [ + "d /var/lib/acme/acme-challenge 0755 acme nginx" + ]; + + security.acme = { + certs."sid-internal" = { + domain = "*.${constants.intranet}"; + server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory"; + }; + }; + sops = let owner = "step-ca"; diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix index eba84dd..0415b9f 100644 --- a/modules/nixos/common/default.nix +++ b/modules/nixos/common/default.nix @@ -5,6 +5,8 @@ ./nix.nix ./overlays.nix + ../pki + inputs.synix.nixosModules.device.server ]; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index f831ea8..540f4ee 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -6,6 +6,7 @@ forgejo-runner = import ./forgejo-runner; gnome = import ./gnome; monero = import ./monero; + pki = import ./pki; rsshub-oci = import ./rsshub-oci; tailscale = import ./tailscale; xfce = import ./xfce; diff --git a/modules/nixos/pki/default.nix b/modules/nixos/pki/default.nix new file mode 100644 index 0000000..729ebd5 --- /dev/null +++ b/modules/nixos/pki/default.nix @@ -0,0 +1,3 @@ +{ + security.pki.certificateFiles = [ ../../../certs/root_ca.crt ]; +}