Compare commits
4 commits
e7afb9a36b
...
32e5fffd16
| Author | SHA1 | Date | |
|---|---|---|---|
| 32e5fffd16 | |||
| 4ad7efb3db | |||
| 7a65bdbf37 | |||
| b9e7615ff5 |
12 changed files with 185 additions and 46 deletions
12
certs/intermediate_ca.crt
Normal file
12
certs/intermediate_ca.crt
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIB2TCCAX6gAwIBAgIQQkLUt4eUkj1iHx/bSnS7CTAKBggqhkjOPQQDAjA2MRUw
|
||||
EwYDVQQKEwxzaWQtaW50ZXJuYWwxHTAbBgNVBAMTFHNpZC1pbnRlcm5hbCBSb290
|
||||
IENBMB4XDTI2MDQxODIwMzkwM1oXDTM2MDQxNTIwMzkwM1owPjEVMBMGA1UEChMM
|
||||
c2lkLWludGVybmFsMSUwIwYDVQQDExxzaWQtaW50ZXJuYWwgSW50ZXJtZWRpYXRl
|
||||
IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEARbL4O6VO4zrlXGTIQtf20A5
|
||||
BuytQgR99rUnWxQOXay1hyPyVeXAFyKWFyQ/vJNHRrMw8TjY829wWkxjFrAj66Nm
|
||||
MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYE
|
||||
FCt20qDkibwOESQ4yUBDmh0m0MX4MB8GA1UdIwQYMBaAFFqIEAJENmQdkxT3Lxix
|
||||
QXhY8H7lMAoGCCqGSM49BAMCA0kAMEYCIQCwrStylYQB2hV2VifA8erEJQCFwPZ+
|
||||
jwcUHAZBKHBb7gIhAIfWurRwLLoXfsx5Ri1rY2JrVVnfPuENqMMcAlOHz/8J
|
||||
-----END CERTIFICATE-----
|
||||
12
certs/root_ca.crt
Normal file
12
certs/root_ca.crt
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBrzCCAVWgAwIBAgIQDV0M0pLkCXvARpa+ipSx8jAKBggqhkjOPQQDAjA2MRUw
|
||||
EwYDVQQKEwxzaWQtaW50ZXJuYWwxHTAbBgNVBAMTFHNpZC1pbnRlcm5hbCBSb290
|
||||
IENBMB4XDTI2MDQxODIwMzkwMloXDTM2MDQxNTIwMzkwMlowNjEVMBMGA1UEChMM
|
||||
c2lkLWludGVybmFsMR0wGwYDVQQDExRzaWQtaW50ZXJuYWwgUm9vdCBDQTBZMBMG
|
||||
ByqGSM49AgEGCCqGSM49AwEHA0IABCH2VmIwKEjdma4UymD7RWuGcaT2algrL5nm
|
||||
TE0NzP8giezdU9bEP487AvUPPibSYDWxdp4ycbl6qNVTiy29xkmjRTBDMA4GA1Ud
|
||||
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRaiBACRDZk
|
||||
HZMU9y8YsUF4WPB+5TAKBggqhkjOPQQDAgNIADBFAiAh+b49V2VTnT6nRCRM0Qwq
|
||||
ruzayrrnmF7pIxi9PVFwBQIhANQsL3ok4gCTRAnT0mUXSyWexzSESZ1lkpLYiyoj
|
||||
RgLi
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
rec {
|
||||
domain = "sid.ovh";
|
||||
intranet = "intra." + domain;
|
||||
intranet = "i." + domain;
|
||||
ca-fqdn = "ca." + intranet;
|
||||
hosts = {
|
||||
sid = {
|
||||
ip = "100.64.0.6";
|
||||
|
|
|
|||
|
|
@ -32,6 +32,9 @@ mailserver:
|
|||
vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str]
|
||||
radicale:
|
||||
sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str]
|
||||
step-ca:
|
||||
password: ENC[AES256_GCM,data:8/6NA3WpII0LmDOp5ISnHKeaXn5LM4gpiI47JTso23c=,iv:fi2eMGG1lOwdK5+98Hp7vZ101GKRip5Xgq9k+vnC9yI=,tag:oENvvsEbKSHFfLoXcJlPkg==,type:str]
|
||||
intermediate-key: ENC[AES256_GCM,data:yGZLSd7ydx9wNFpWWPcyUBwZQZbyziGleCWSxurFniBCauw2h4hcPc4c4I/7cjl1vRUv41WfzWu1PtXnZ3lNHOC6tTbiikHFBgGiHk2Lhddx+NESUWmgNiejJR/UDW4T25W9OHxwLCV9pmHf4fjyT/REymGIB7kbcRryWqcWtoZWYaL7JooJornm5mMU1Be+MCfxusTGQA4gQsT5/bu20iEGPwgY3fEgZLQWzKFI2kD2lYlMC8CRxoZO32uTizzooW1+zKng1qSZ7aobFJsbSKRYpYDv9Vvfwltcczb+xo+yZL3pfoEiqAxPzeG/48lRVNf1nftM5esBRGIIPr9BV9+7fbe5DFbSRDtAWspEnp9R5ENj1rbNint/fjCcStg3OfFMdv6N8cQyIpQyHCiBLiG4z+xyFcn0iW4=,iv:BhUoeaoetI5vJk9wOHhBI2ebHWCPeXz8U2ta/xEeUxM=,tag:7xg5ilOSJP1rFlSmmZVZUg==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
|
||||
|
|
@ -52,7 +55,7 @@ sops:
|
|||
RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB
|
||||
UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2026-04-15T22:25:00Z"
|
||||
mac: ENC[AES256_GCM,data:/Y68+WlI/BykmwajvluW1EiCfzdfIJe+nDwstqusqhwhc7h5exD5xuuU9CB0lcUGwODwrIfWECWLLhJfn86/Wc2WDT2yinIj89mik/rRB0klMx75v0w1v6vxiYuQU0WHPtajDuuaMTo1QxJFczZt0RVPtDPwmVip5EEQpNsqzig=,iv:gWqFTUP7PAk5QzRfKFpTD5iCdneciih0HM8am8+TS/8=,tag:E1QY6PnM3oFZm/qfrL/8dg==,type:str]
|
||||
lastmodified: "2026-04-18T20:48:28Z"
|
||||
mac: ENC[AES256_GCM,data:RDhfanP4bN68/gVivoDxxOI4r/Pdov4qI/dldmC+RBHg1kzwJsneLxEHS2KEQhtXwR8y22WJ62pIgLA7WZHdCSIqL6cbJ4V8ImQmlJHYVnaGrkgFdbzUFi8B15jRwHTywhC3+CdxoeppzGFFCUnHDbPWVfDaVXmgHeHRPJoQHck=,iv:+pAAtvwPJz0PRIeywt9GhQL8P57cCy6hhOgoUGjIexc=,tag:d7h2XdPmkdnJd9j65llFsw==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.12.1
|
||||
|
|
|
|||
32
hosts/sid/services/coredns.nix
Normal file
32
hosts/sid/services/coredns.nix
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
{ constants, ... }:
|
||||
|
||||
{
|
||||
services.resolved.enable = false;
|
||||
networking.resolvconf.enable = false;
|
||||
|
||||
networking.nameservers = [ constants.hosts.sid.ip ];
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = with constants; ''
|
||||
.:53 {
|
||||
bind 127.0.0.1 ${hosts.sid.ip}
|
||||
hosts {
|
||||
${hosts.sid.ip} ${ca-fqdn}
|
||||
|
||||
${hosts.rx4.ip} ${services.vaultwarden.fqdn}
|
||||
${hosts.rx4.ip} ${services.webdav.fqdn}
|
||||
${hosts.rx4.ip} rx4.tail
|
||||
${hosts.sid.ip} ${services.netdata.fqdn}
|
||||
${hosts.sid.ip} sid.tail
|
||||
${hosts.vde.ip} vde.tail
|
||||
fallthrough
|
||||
}
|
||||
forward . 1.1.1.1
|
||||
cache
|
||||
log
|
||||
errors
|
||||
}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
@ -10,11 +10,13 @@
|
|||
|
||||
outputs.nixosModules.tailscale
|
||||
|
||||
./coredns.nix
|
||||
./headscale.nix
|
||||
./mailserver.nix
|
||||
./matrix-synapse.nix
|
||||
./netdata.nix
|
||||
./nginx.nix
|
||||
./radicale.nix
|
||||
./step-ca.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@
|
|||
};
|
||||
settings = {
|
||||
dns = {
|
||||
magic_dns = true; # NOTE: should coredns handle everything?
|
||||
magic_dns = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
inputs,
|
||||
constants,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
|
@ -16,33 +15,6 @@ in
|
|||
inputs.synix.nixosModules.nginx
|
||||
];
|
||||
|
||||
services.resolved.enable = false;
|
||||
networking.resolvconf.enable = false;
|
||||
|
||||
networking.nameservers = [ constants.hosts.sid.ip ];
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = with constants; ''
|
||||
.:53 {
|
||||
bind 127.0.0.1 ${hosts.sid.ip}
|
||||
hosts {
|
||||
${hosts.rx4.ip} ${services.vaultwarden.fqdn}
|
||||
${hosts.rx4.ip} ${services.webdav.fqdn}
|
||||
${hosts.rx4.ip} rx4.tail
|
||||
${hosts.sid.ip} ${services.netdata.fqdn}
|
||||
${hosts.sid.ip} sid.tail
|
||||
${hosts.vde.ip} vde.tail
|
||||
fallthrough
|
||||
}
|
||||
forward . 1.1.1.1
|
||||
cache
|
||||
log
|
||||
errors
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
|
|
@ -62,10 +34,10 @@ in
|
|||
address = constants.hosts.rx4.ip;
|
||||
port = constants.services.miniflux.port;
|
||||
};
|
||||
# virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
|
||||
# inherit ssl;
|
||||
# port = constants.services.netdata.port;
|
||||
# };
|
||||
virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
|
||||
inherit ssl;
|
||||
port = constants.services.netdata.port;
|
||||
};
|
||||
virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost {
|
||||
inherit ssl;
|
||||
address = constants.hosts.rx4.ip;
|
||||
|
|
@ -83,16 +55,16 @@ in
|
|||
address = constants.hosts.rx4.ip;
|
||||
port = constants.services.rsshub-oci.port;
|
||||
};
|
||||
# virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost {
|
||||
# inherit ssl;
|
||||
# address = constants.hosts.rx4.ip;
|
||||
# port = constants.services.vaultwarden.port;
|
||||
# };
|
||||
# virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
|
||||
# inherit ssl;
|
||||
# address = constants.hosts.rx4.ip;
|
||||
# port = constants.services.webdav.port;
|
||||
# };
|
||||
virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost {
|
||||
inherit ssl;
|
||||
address = constants.hosts.rx4.ip;
|
||||
port = constants.services.vaultwarden.port;
|
||||
};
|
||||
virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
|
||||
inherit ssl;
|
||||
address = constants.hosts.rx4.ip;
|
||||
port = constants.services.webdav.port;
|
||||
};
|
||||
# FIXME
|
||||
# virtualHosts."print.sid.ovh" = {
|
||||
# enableACME = true;
|
||||
|
|
|
|||
99
hosts/sid/services/step-ca.nix
Normal file
99
hosts/sid/services/step-ca.nix
Normal file
|
|
@ -0,0 +1,99 @@
|
|||
{
|
||||
constants,
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.services.step-ca;
|
||||
in
|
||||
{
|
||||
services.step-ca = {
|
||||
enable = true;
|
||||
address = "127.0.0.1";
|
||||
port = 8443;
|
||||
openFirewall = true;
|
||||
intermediatePasswordFile = config.sops.secrets."step-ca/password".path;
|
||||
# nix-shell -p step-cli --run "step ca init"
|
||||
settings = {
|
||||
root = ../../../certs/root_ca.crt;
|
||||
crt = ../../../certs/intermediate_ca.crt;
|
||||
key = config.sops.secrets."step-ca/intermediate-key".path;
|
||||
dnsNames = [
|
||||
constants.ca-fqdn
|
||||
constants.hosts.sid.ip
|
||||
];
|
||||
logger = {
|
||||
format = "text";
|
||||
};
|
||||
db = {
|
||||
type = "badgerv2";
|
||||
dataSource = "/var/lib/step-ca/db";
|
||||
};
|
||||
authority = {
|
||||
provisioners = [
|
||||
{
|
||||
type = "ACME";
|
||||
name = "acme";
|
||||
}
|
||||
{
|
||||
type = "JWK";
|
||||
name = "sid@sid.ovh";
|
||||
key = {
|
||||
use = "sig";
|
||||
kty = "EC";
|
||||
kid = "w3fV4U-frlyTnBMg4yNYrLsn8_mY98H8HthoscpoVrg";
|
||||
crv = "P-256";
|
||||
alg = "ES256";
|
||||
x = "KZCDecn4sb87T3UO6JsIzJVtr4Aa0UcYzYDNBUM6F7M";
|
||||
y = "CbGHn9tXQbV0Ur2VuXITLnWgfxCRmKEoUdMUmrP9Qkw";
|
||||
};
|
||||
encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiZS1MUDhDYlE4dzVuMF9nUGhXOWtGdyJ9.rgsqo58rJFWaociSqiPg3E1alAeqoHWubJi4n2uoUFYp3YTWaYZzqA.6P6oimHsKGdCWruo.fNaDr50IXCtCe7W7VIXuS3rlfin_R0nogNpIJ9C6szYg8k10UylircUs14Zl1EHQ9lFeJovb1y1uljzBajMGkOAGlMvashrphVkXiSxHWKDhzbrItJx3qChLtSLJJtXiXPbJQKCAeBjztqPuTw6dI4Z6IR9---kiTvzF6I9KE8afGFlMSubGjr9FnqgiOb2JiZuTfcBGDx78puxdWzUrEEVlliHdv2agbKhY0b13x-obaTIWwlqLFbasv7kPneJ8Ggp7IHHr5uDcUrqVKkTfBrD0lelXm6SwJTHGMkty6inlwSflT9mxvkNq7OGV9triPQc8AGVv0c7t7dHoX_E.tSjJqttCS6zLI_-7zPdXNQ";
|
||||
}
|
||||
];
|
||||
};
|
||||
tls = {
|
||||
cipherSuites = [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||
];
|
||||
minVersion = "1.2";
|
||||
maxVersion = "1.3";
|
||||
renegotiation = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.step-cli
|
||||
];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/acme/acme-challenge 0755 acme nginx"
|
||||
];
|
||||
|
||||
security.acme = {
|
||||
certs."sid-internal" = {
|
||||
domain = "*.${constants.intranet}";
|
||||
server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory";
|
||||
};
|
||||
};
|
||||
|
||||
sops =
|
||||
let
|
||||
owner = "step-ca";
|
||||
group = "step-ca";
|
||||
mode = "0400";
|
||||
in
|
||||
{
|
||||
secrets = {
|
||||
"step-ca/password" = {
|
||||
inherit owner group mode;
|
||||
};
|
||||
"step-ca/intermediate-key" = {
|
||||
inherit owner group mode;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -5,6 +5,8 @@
|
|||
./nix.nix
|
||||
./overlays.nix
|
||||
|
||||
../pki
|
||||
|
||||
inputs.synix.nixosModules.device.server
|
||||
];
|
||||
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
forgejo-runner = import ./forgejo-runner;
|
||||
gnome = import ./gnome;
|
||||
monero = import ./monero;
|
||||
pki = import ./pki;
|
||||
rsshub-oci = import ./rsshub-oci;
|
||||
tailscale = import ./tailscale;
|
||||
xfce = import ./xfce;
|
||||
|
|
|
|||
3
modules/nixos/pki/default.nix
Normal file
3
modules/nixos/pki/default.nix
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
{
|
||||
security.pki.certificateFiles = [ ../../../certs/root_ca.crt ];
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue