hosts/sid/services/default.nix

@@ -16,5 +16,6 @@
     ./netdata.nix
     ./nginx.nix
     ./radicale.nix
+    ./step-ca.nix
   ];
 }

hosts/sid/services/step-ca.nix

@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+
+{
+  services.step-ca = {
+    enable = true;
+    address = "127.0.0.1";
+    port = 8443;
+    intermediatePasswordFile = config.sops.secrets."step-ca/password".path;
+    settings = {
+      root = ./internal-root-ca.crt;
+      crt = ./internal-intermediate.crt;
+      key = config.sops.secrets."step-ca/intermediate-key".path;
+      dnsNames = [
+        "ca.intra.sid.ovh"
+      ];
+      logger = {
+        format = "text";
+      };
+      db = {
+        type = "badgerv2";
+        dataSource = "/var/lib/step-ca/db";
+      };
+      authority = {
+        provisioners = [
+          {
+            type = "ACME";
+            name = "acme";
+          }
+        ];
+      };
+      tls = {
+        cipherSuites = [
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ];
+        minVersion = "1.2";
+        maxVersion = "1.3";
+        renegotiation = false;
+      };
+    };
+  };
+
+  environment.systemPackages = [
+    pkgs.step-cli
+  ];
+
+  sops =
+    let
+      owner = "step-ca";
+      group = "step-ca";
+      mode = "0400";
+    in
+    {
+      secrets = {
+        "step-ca/password" = {
+          inherit owner group mode;
+        };
+        "step-ca/intermediate-key" = {
+          inherit owner group mode;
+        };
+      };
+    };
+}