sid/sid.ovh
1
0
Fork 0
Code Issues 3 Pull requests 2 Projects Releases Packages Wiki Activity Actions
sid.ovh/hosts/sid/services/step-ca.nix
sid 0533dfeb6d
All checks were successful
Build hosts / build-hosts (pull_request) Successful in 17s
Details
Flake check / flake-check (pull_request) Successful in 17s
Details
Revert to commit c2efb19
2026-05-05 13:32:31 +02:00

108 lines
3.1 KiB
Nix
Raw Blame History

{
constants,
config,
pkgs,
...
}:
let
cfg = config.services.step-ca;
in
{
services.step-ca = {
enable = true;
address = "0.0.0.0";
port = 8443;
openFirewall = true;
intermediatePasswordFile = config.sops.secrets."step-ca/password".path;
# nix-shell -p step-cli --run "step ca init"
settings = {
# FIXME: nix-store paths do not work
# root = ../../../certs/root_ca.crt;
# crt = ../../../certs/intermediate_ca.crt;
# FIXME: not reproducible
root = "/var/lib/step-ca/certs/root_ca.crt";
crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
key = config.sops.secrets."step-ca/intermediate-key".path;
dnsNames = [
constants.ca-fqdn
constants.hosts.sid.ip
];
logger = {
format = "text";
};
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
};
authority = {
provisioners = [
{
type = "ACME";
name = "acme";
}
{
type = "JWK";
name = "sid@sid.ovh";
key = {
use = "sig";
kty = "EC";
kid = "w3fV4U-frlyTnBMg4yNYrLsn8_mY98H8HthoscpoVrg";
crv = "P-256";
alg = "ES256";
x = "KZCDecn4sb87T3UO6JsIzJVtr4Aa0UcYzYDNBUM6F7M";
y = "CbGHn9tXQbV0Ur2VuXITLnWgfxCRmKEoUdMUmrP9Qkw";
};
encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiZS1MUDhDYlE4dzVuMF9nUGhXOWtGdyJ9.rgsqo58rJFWaociSqiPg3E1alAeqoHWubJi4n2uoUFYp3YTWaYZzqA.6P6oimHsKGdCWruo.fNaDr50IXCtCe7W7VIXuS3rlfin_R0nogNpIJ9C6szYg8k10UylircUs14Zl1EHQ9lFeJovb1y1uljzBajMGkOAGlMvashrphVkXiSxHWKDhzbrItJx3qChLtSLJJtXiXPbJQKCAeBjztqPuTw6dI4Z6IR9---kiTvzF6I9KE8afGFlMSubGjr9FnqgiOb2JiZuTfcBGDx78puxdWzUrEEVlliHdv2agbKhY0b13x-obaTIWwlqLFbasv7kPneJ8Ggp7IHHr5uDcUrqVKkTfBrD0lelXm6SwJTHGMkty6inlwSflT9mxvkNq7OGV9triPQc8AGVv0c7t7dHoX_E.tSjJqttCS6zLI_-7zPdXNQ";
}
];
};
tls = {
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
];
renegotiation = false;
};
};
};
environment.systemPackages = [
pkgs.step-cli
];
systemd.tmpfiles.rules = [
"d /var/lib/acme/acme-challenge 0755 acme nginx"
];
security.acme = {
certs."sid-internal" = {
# domain = constants.intranet;
domain = constants.services.vaultwarden.fqdn;
extraDomainNames = [
constants.services.netdata.fqdn
# constants.services.vaultwarden.fqdn
constants.services.webdav.fqdn
];
server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory";
group = "nginx";
};
};
sops =
let
owner = "step-ca";
group = "step-ca";
mode = "0400";
in
{
secrets = {
"step-ca/password" = {
inherit owner group mode;
};
"step-ca/intermediate-key" = {
inherit owner group mode;
};
};
};
}
Reference in a new issue View git blame Copy permalink