xin/configs/ca.nix

129 lines
3.1 KiB
Nix
Raw Permalink Normal View History

2024-02-18 12:23:08 -07:00
{
config,
lib,
pkgs,
...
2023-09-12 08:44:05 -06:00
}:
let
2023-07-11 09:12:50 -06:00
cfg = config.services.xinCA;
in
2024-02-18 12:23:08 -07:00
with lib;
{
2023-09-12 08:44:05 -06:00
options = {
services.xinCA = {
enable = mkEnableOption "Configure host as a xin certificate authority.";
2023-09-12 08:44:05 -06:00
user = mkOption {
type = types.str;
default = "step-ca";
description = ''
User who will own the CA key material.
'';
};
};
2023-09-12 08:44:05 -06:00
};
2023-09-12 08:44:05 -06:00
imports = [ ../modules/ts-rev-prox.nix ];
config = mkIf cfg.enable {
sops.secrets = {
ca_password = {
mode = "400";
owner = cfg.user;
sopsFile = config.xin-secrets.cert_authority;
};
"defaults.json" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/config/defaults.json";
sopsFile = config.xin-secrets.cert_authority;
2023-02-14 05:39:46 -07:00
};
2023-09-12 08:44:05 -06:00
"intermediate_ca.crt" = {
mode = "444";
owner = cfg.user;
path = "/var/lib/step-ca/certs/intermediate_ca.crt";
sopsFile = config.xin-secrets.cert_authority;
};
"intermediate_ca_key" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/secrets/intermediate_ca_key";
sopsFile = config.xin-secrets.cert_authority;
};
"root_ca.crt" = {
mode = "444";
owner = cfg.user;
path = "/var/lib/step-ca/certs/root_ca.crt";
sopsFile = config.xin-secrets.cert_authority;
};
"root_ca_key" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/secrets/root_ca_key";
sopsFile = config.xin-secrets.cert_authority;
};
"jwk_encryptedKey" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/secrets/jwk_encryptedKey";
sopsFile = config.xin-secrets.cert_authority;
};
};
2024-02-18 12:23:08 -07:00
networking.hosts = {
"127.0.0.1" = [ "ca.bolddaemon.com" ];
};
2024-02-18 12:23:08 -07:00
environment.sessionVariables = {
STEPPATH = "/var/lib/step-ca";
};
2023-09-12 08:44:05 -06:00
environment.systemPackages = with pkgs; [
step-cli
step-kms-plugin
opensc
libressl
];
2023-09-12 08:44:05 -06:00
services.step-ca = {
enable = true;
intermediatePasswordFile = "${config.sops.secrets.ca_password.path}";
address = "127.0.0.1";
port = 443;
settings = {
root = config.sops.secrets."root_ca.crt".path;
crt = config.sops.secrets."intermediate_ca.crt".path;
key = config.sops.secrets.intermediate_ca_key.path;
dnsNames = [ "ca.bolddaemon.com" ];
2024-02-18 12:23:08 -07:00
logger = {
format = "text";
};
2023-09-12 08:44:05 -06:00
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
badgerFileLoadingMode = "";
};
authority = {
provisioners = [
{
type = "SSHPOP";
name = "sshpop";
2024-02-18 12:23:08 -07:00
claims = {
enableSSHCA = true;
};
2023-09-12 08:44:05 -06:00
}
];
};
2023-02-14 05:39:46 -07:00
2023-09-12 08:44:05 -06:00
tls = {
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
];
minVersion = 1.2;
maxVersion = 1.3;
renegotiation = false;
};
};
};
2023-09-12 08:44:05 -06:00
};
}