From b9e7615ff58888227d32ea9ee4fde4e5cceb675a Mon Sep 17 00:00:00 2001 From: sid Date: Thu, 16 Apr 2026 01:02:39 +0200 Subject: [PATCH] initial commit --- hosts/sid/services/default.nix | 1 + hosts/sid/services/step-ca.nix | 63 ++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 hosts/sid/services/step-ca.nix diff --git a/hosts/sid/services/default.nix b/hosts/sid/services/default.nix index 57d9964..42e8eed 100644 --- a/hosts/sid/services/default.nix +++ b/hosts/sid/services/default.nix @@ -16,5 +16,6 @@ ./netdata.nix ./nginx.nix ./radicale.nix + ./step-ca.nix ]; } diff --git a/hosts/sid/services/step-ca.nix b/hosts/sid/services/step-ca.nix new file mode 100644 index 0000000..9edd436 --- /dev/null +++ b/hosts/sid/services/step-ca.nix @@ -0,0 +1,63 @@ +{ config, pkgs, ... }: + +{ + services.step-ca = { + enable = true; + address = "127.0.0.1"; + port = 8443; + intermediatePasswordFile = config.sops.secrets."step-ca/password".path; + settings = { + root = ./internal-root-ca.crt; + crt = ./internal-intermediate.crt; + key = config.sops.secrets."step-ca/intermediate-key".path; + dnsNames = [ + "ca.intra.sid.ovh" + ]; + logger = { + format = "text"; + }; + db = { + type = "badgerv2"; + dataSource = "/var/lib/step-ca/db"; + }; + authority = { + provisioners = [ + { + type = "ACME"; + name = "acme"; + } + ]; + }; + tls = { + cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ]; + minVersion = "1.2"; + maxVersion = "1.3"; + renegotiation = false; + }; + }; + }; + + environment.systemPackages = [ + pkgs.step-cli + ]; + + sops = + let + owner = "step-ca"; + group = "step-ca"; + mode = "0400"; + in + { + secrets = { + "step-ca/password" = { + inherit owner group mode; + }; + "step-ca/intermediate-key" = { + inherit owner group mode; + }; + }; + }; +}