step-ca #22
2 changed files with 64 additions and 0 deletions
|
|
@ -16,5 +16,6 @@
|
|||
./netdata.nix
|
||||
./nginx.nix
|
||||
./radicale.nix
|
||||
./step-ca.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
63
hosts/sid/services/step-ca.nix
Normal file
63
hosts/sid/services/step-ca.nix
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.step-ca = {
|
||||
enable = true;
|
||||
address = "127.0.0.1";
|
||||
port = 8443;
|
||||
intermediatePasswordFile = config.sops.secrets."step-ca/password".path;
|
||||
settings = {
|
||||
root = ./internal-root-ca.crt;
|
||||
crt = ./internal-intermediate.crt;
|
||||
key = config.sops.secrets."step-ca/intermediate-key".path;
|
||||
dnsNames = [
|
||||
"ca.intra.sid.ovh"
|
||||
];
|
||||
logger = {
|
||||
format = "text";
|
||||
};
|
||||
db = {
|
||||
type = "badgerv2";
|
||||
dataSource = "/var/lib/step-ca/db";
|
||||
};
|
||||
authority = {
|
||||
provisioners = [
|
||||
{
|
||||
type = "ACME";
|
||||
name = "acme";
|
||||
}
|
||||
];
|
||||
};
|
||||
tls = {
|
||||
cipherSuites = [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||
];
|
||||
minVersion = "1.2";
|
||||
maxVersion = "1.3";
|
||||
renegotiation = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.step-cli
|
||||
];
|
||||
|
||||
sops =
|
||||
let
|
||||
owner = "step-ca";
|
||||
group = "step-ca";
|
||||
mode = "0400";
|
||||
in
|
||||
{
|
||||
secrets = {
|
||||
"step-ca/password" = {
|
||||
inherit owner group mode;
|
||||
};
|
||||
"step-ca/intermediate-key" = {
|
||||
inherit owner group mode;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue