diff --git a/certs/intermediate_ca.crt b/certs/intermediate_ca.crt deleted file mode 100644 index e2d8aba..0000000 --- a/certs/intermediate_ca.crt +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB2TCCAX6gAwIBAgIQQkLUt4eUkj1iHx/bSnS7CTAKBggqhkjOPQQDAjA2MRUw -EwYDVQQKEwxzaWQtaW50ZXJuYWwxHTAbBgNVBAMTFHNpZC1pbnRlcm5hbCBSb290 -IENBMB4XDTI2MDQxODIwMzkwM1oXDTM2MDQxNTIwMzkwM1owPjEVMBMGA1UEChMM -c2lkLWludGVybmFsMSUwIwYDVQQDExxzaWQtaW50ZXJuYWwgSW50ZXJtZWRpYXRl -IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEARbL4O6VO4zrlXGTIQtf20A5 -BuytQgR99rUnWxQOXay1hyPyVeXAFyKWFyQ/vJNHRrMw8TjY829wWkxjFrAj66Nm -MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYE -FCt20qDkibwOESQ4yUBDmh0m0MX4MB8GA1UdIwQYMBaAFFqIEAJENmQdkxT3Lxix -QXhY8H7lMAoGCCqGSM49BAMCA0kAMEYCIQCwrStylYQB2hV2VifA8erEJQCFwPZ+ -jwcUHAZBKHBb7gIhAIfWurRwLLoXfsx5Ri1rY2JrVVnfPuENqMMcAlOHz/8J ------END CERTIFICATE----- diff --git a/certs/root_ca.crt b/certs/root_ca.crt deleted file mode 100644 index 44abf61..0000000 --- a/certs/root_ca.crt +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBrzCCAVWgAwIBAgIQDV0M0pLkCXvARpa+ipSx8jAKBggqhkjOPQQDAjA2MRUw -EwYDVQQKEwxzaWQtaW50ZXJuYWwxHTAbBgNVBAMTFHNpZC1pbnRlcm5hbCBSb290 -IENBMB4XDTI2MDQxODIwMzkwMloXDTM2MDQxNTIwMzkwMlowNjEVMBMGA1UEChMM -c2lkLWludGVybmFsMR0wGwYDVQQDExRzaWQtaW50ZXJuYWwgUm9vdCBDQTBZMBMG -ByqGSM49AgEGCCqGSM49AwEHA0IABCH2VmIwKEjdma4UymD7RWuGcaT2algrL5nm -TE0NzP8giezdU9bEP487AvUPPibSYDWxdp4ycbl6qNVTiy29xkmjRTBDMA4GA1Ud -DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRaiBACRDZk -HZMU9y8YsUF4WPB+5TAKBggqhkjOPQQDAgNIADBFAiAh+b49V2VTnT6nRCRM0Qwq -ruzayrrnmF7pIxi9PVFwBQIhANQsL3ok4gCTRAnT0mUXSyWexzSESZ1lkpLYiyoj -RgLi ------END CERTIFICATE----- diff --git a/constants.nix b/constants.nix index e38e39d..cfa6d05 100644 --- a/constants.nix +++ b/constants.nix @@ -1,7 +1,6 @@ rec { domain = "sid.ovh"; - intranet = "i." + domain; - ca-fqdn = "ca." + intranet; + intranet = "intra." + domain; hosts = { sid = { ip = "100.64.0.6"; diff --git a/hosts/sid/secrets/secrets.yaml b/hosts/sid/secrets/secrets.yaml index 372dccc..7d553c7 100644 --- a/hosts/sid/secrets/secrets.yaml +++ b/hosts/sid/secrets/secrets.yaml @@ -32,9 +32,6 @@ mailserver: vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str] radicale: sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str] -step-ca: - password: ENC[AES256_GCM,data:8/6NA3WpII0LmDOp5ISnHKeaXn5LM4gpiI47JTso23c=,iv:fi2eMGG1lOwdK5+98Hp7vZ101GKRip5Xgq9k+vnC9yI=,tag:oENvvsEbKSHFfLoXcJlPkg==,type:str] - intermediate-key: ENC[AES256_GCM,data:yGZLSd7ydx9wNFpWWPcyUBwZQZbyziGleCWSxurFniBCauw2h4hcPc4c4I/7cjl1vRUv41WfzWu1PtXnZ3lNHOC6tTbiikHFBgGiHk2Lhddx+NESUWmgNiejJR/UDW4T25W9OHxwLCV9pmHf4fjyT/REymGIB7kbcRryWqcWtoZWYaL7JooJornm5mMU1Be+MCfxusTGQA4gQsT5/bu20iEGPwgY3fEgZLQWzKFI2kD2lYlMC8CRxoZO32uTizzooW1+zKng1qSZ7aobFJsbSKRYpYDv9Vvfwltcczb+xo+yZL3pfoEiqAxPzeG/48lRVNf1nftM5esBRGIIPr9BV9+7fbe5DFbSRDtAWspEnp9R5ENj1rbNint/fjCcStg3OfFMdv6N8cQyIpQyHCiBLiG4z+xyFcn0iW4=,iv:BhUoeaoetI5vJk9wOHhBI2ebHWCPeXz8U2ta/xEeUxM=,tag:7xg5ilOSJP1rFlSmmZVZUg==,type:str] sops: age: - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy @@ -55,7 +52,7 @@ sops: RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-18T20:48:28Z" - mac: ENC[AES256_GCM,data:RDhfanP4bN68/gVivoDxxOI4r/Pdov4qI/dldmC+RBHg1kzwJsneLxEHS2KEQhtXwR8y22WJ62pIgLA7WZHdCSIqL6cbJ4V8ImQmlJHYVnaGrkgFdbzUFi8B15jRwHTywhC3+CdxoeppzGFFCUnHDbPWVfDaVXmgHeHRPJoQHck=,iv:+pAAtvwPJz0PRIeywt9GhQL8P57cCy6hhOgoUGjIexc=,tag:d7h2XdPmkdnJd9j65llFsw==,type:str] + lastmodified: "2026-04-15T22:25:00Z" + mac: ENC[AES256_GCM,data:/Y68+WlI/BykmwajvluW1EiCfzdfIJe+nDwstqusqhwhc7h5exD5xuuU9CB0lcUGwODwrIfWECWLLhJfn86/Wc2WDT2yinIj89mik/rRB0klMx75v0w1v6vxiYuQU0WHPtajDuuaMTo1QxJFczZt0RVPtDPwmVip5EEQpNsqzig=,iv:gWqFTUP7PAk5QzRfKFpTD5iCdneciih0HM8am8+TS/8=,tag:E1QY6PnM3oFZm/qfrL/8dg==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1 diff --git a/hosts/sid/services/coredns.nix b/hosts/sid/services/coredns.nix deleted file mode 100644 index 0d8e036..0000000 --- a/hosts/sid/services/coredns.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ constants, ... }: - -{ - services.resolved.enable = false; - networking.resolvconf.enable = false; - - networking.nameservers = [ constants.hosts.sid.ip ]; - - services.coredns = { - enable = true; - config = with constants; '' - .:53 { - bind 127.0.0.1 ${hosts.sid.ip} - hosts { - ${hosts.sid.ip} ${ca-fqdn} - - ${hosts.rx4.ip} ${services.vaultwarden.fqdn} - ${hosts.rx4.ip} ${services.webdav.fqdn} - ${hosts.rx4.ip} rx4.tail - ${hosts.sid.ip} ${services.netdata.fqdn} - ${hosts.sid.ip} sid.tail - ${hosts.vde.ip} vde.tail - fallthrough - } - forward . 1.1.1.1 - cache - log - errors - } - ''; - }; -} diff --git a/hosts/sid/services/default.nix b/hosts/sid/services/default.nix index c753168..57d9964 100644 --- a/hosts/sid/services/default.nix +++ b/hosts/sid/services/default.nix @@ -10,13 +10,11 @@ outputs.nixosModules.tailscale - ./coredns.nix ./headscale.nix ./mailserver.nix ./matrix-synapse.nix ./netdata.nix ./nginx.nix ./radicale.nix - ./step-ca.nix ]; } diff --git a/hosts/sid/services/headscale.nix b/hosts/sid/services/headscale.nix index 347a202..3faf0b0 100644 --- a/hosts/sid/services/headscale.nix +++ b/hosts/sid/services/headscale.nix @@ -26,7 +26,7 @@ }; settings = { dns = { - magic_dns = true; + magic_dns = true; # NOTE: should coredns handle everything? }; }; }; diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix index afbc5e0..0014748 100644 --- a/hosts/sid/services/nginx.nix +++ b/hosts/sid/services/nginx.nix @@ -1,6 +1,7 @@ { inputs, constants, + config, lib, ... }: @@ -15,6 +16,33 @@ in inputs.synix.nixosModules.nginx ]; + services.resolved.enable = false; + networking.resolvconf.enable = false; + + networking.nameservers = [ constants.hosts.sid.ip ]; + + services.coredns = { + enable = true; + config = with constants; '' + .:53 { + bind 127.0.0.1 ${hosts.sid.ip} + hosts { + ${hosts.rx4.ip} ${services.vaultwarden.fqdn} + ${hosts.rx4.ip} ${services.webdav.fqdn} + ${hosts.rx4.ip} rx4.tail + ${hosts.sid.ip} ${services.netdata.fqdn} + ${hosts.sid.ip} sid.tail + ${hosts.vde.ip} vde.tail + fallthrough + } + forward . 1.1.1.1 + cache + log + errors + } + ''; + }; + services.nginx = { enable = true; openFirewall = true; @@ -34,10 +62,10 @@ in address = constants.hosts.rx4.ip; port = constants.services.miniflux.port; }; - virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost { - inherit ssl; - port = constants.services.netdata.port; - }; + # virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost { + # inherit ssl; + # port = constants.services.netdata.port; + # }; virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost { inherit ssl; address = constants.hosts.rx4.ip; @@ -55,16 +83,16 @@ in address = constants.hosts.rx4.ip; port = constants.services.rsshub-oci.port; }; - virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost { - inherit ssl; - address = constants.hosts.rx4.ip; - port = constants.services.vaultwarden.port; - }; - virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost { - inherit ssl; - address = constants.hosts.rx4.ip; - port = constants.services.webdav.port; - }; + # virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost { + # inherit ssl; + # address = constants.hosts.rx4.ip; + # port = constants.services.vaultwarden.port; + # }; + # virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost { + # inherit ssl; + # address = constants.hosts.rx4.ip; + # port = constants.services.webdav.port; + # }; # FIXME # virtualHosts."print.sid.ovh" = { # enableACME = true; diff --git a/hosts/sid/services/step-ca.nix b/hosts/sid/services/step-ca.nix deleted file mode 100644 index 396f7c6..0000000 --- a/hosts/sid/services/step-ca.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ - constants, - config, - pkgs, - ... -}: - -let - cfg = config.services.step-ca; -in -{ - services.step-ca = { - enable = true; - address = "127.0.0.1"; - port = 8443; - openFirewall = true; - intermediatePasswordFile = config.sops.secrets."step-ca/password".path; - # nix-shell -p step-cli --run "step ca init" - settings = { - root = ../../../certs/root_ca.crt; - crt = ../../../certs/intermediate_ca.crt; - key = config.sops.secrets."step-ca/intermediate-key".path; - dnsNames = [ - constants.ca-fqdn - constants.hosts.sid.ip - ]; - logger = { - format = "text"; - }; - db = { - type = "badgerv2"; - dataSource = "/var/lib/step-ca/db"; - }; - authority = { - provisioners = [ - { - type = "ACME"; - name = "acme"; - } - { - type = "JWK"; - name = "sid@sid.ovh"; - key = { - use = "sig"; - kty = "EC"; - kid = "w3fV4U-frlyTnBMg4yNYrLsn8_mY98H8HthoscpoVrg"; - crv = "P-256"; - alg = "ES256"; - x = "KZCDecn4sb87T3UO6JsIzJVtr4Aa0UcYzYDNBUM6F7M"; - y = "CbGHn9tXQbV0Ur2VuXITLnWgfxCRmKEoUdMUmrP9Qkw"; - }; - encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiZS1MUDhDYlE4dzVuMF9nUGhXOWtGdyJ9.rgsqo58rJFWaociSqiPg3E1alAeqoHWubJi4n2uoUFYp3YTWaYZzqA.6P6oimHsKGdCWruo.fNaDr50IXCtCe7W7VIXuS3rlfin_R0nogNpIJ9C6szYg8k10UylircUs14Zl1EHQ9lFeJovb1y1uljzBajMGkOAGlMvashrphVkXiSxHWKDhzbrItJx3qChLtSLJJtXiXPbJQKCAeBjztqPuTw6dI4Z6IR9---kiTvzF6I9KE8afGFlMSubGjr9FnqgiOb2JiZuTfcBGDx78puxdWzUrEEVlliHdv2agbKhY0b13x-obaTIWwlqLFbasv7kPneJ8Ggp7IHHr5uDcUrqVKkTfBrD0lelXm6SwJTHGMkty6inlwSflT9mxvkNq7OGV9triPQc8AGVv0c7t7dHoX_E.tSjJqttCS6zLI_-7zPdXNQ"; - } - ]; - }; - tls = { - cipherSuites = [ - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" - ]; - minVersion = "1.2"; - maxVersion = "1.3"; - renegotiation = false; - }; - }; - }; - - environment.systemPackages = [ - pkgs.step-cli - ]; - - systemd.tmpfiles.rules = [ - "d /var/lib/acme/acme-challenge 0755 acme nginx" - ]; - - security.acme = { - certs."sid-internal" = { - domain = "*.${constants.intranet}"; - server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory"; - }; - }; - - sops = - let - owner = "step-ca"; - group = "step-ca"; - mode = "0400"; - in - { - secrets = { - "step-ca/password" = { - inherit owner group mode; - }; - "step-ca/intermediate-key" = { - inherit owner group mode; - }; - }; - }; -} diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix index 0415b9f..eba84dd 100644 --- a/modules/nixos/common/default.nix +++ b/modules/nixos/common/default.nix @@ -5,8 +5,6 @@ ./nix.nix ./overlays.nix - ../pki - inputs.synix.nixosModules.device.server ]; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 540f4ee..f831ea8 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -6,7 +6,6 @@ forgejo-runner = import ./forgejo-runner; gnome = import ./gnome; monero = import ./monero; - pki = import ./pki; rsshub-oci = import ./rsshub-oci; tailscale = import ./tailscale; xfce = import ./xfce; diff --git a/modules/nixos/pki/default.nix b/modules/nixos/pki/default.nix deleted file mode 100644 index 729ebd5..0000000 --- a/modules/nixos/pki/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - security.pki.certificateFiles = [ ../../../certs/root_ca.crt ]; -}