2023-02-10 12:43:59 -07:00
|
|
|
{ config, lib, pkgs, inputs, xinlib, ... }:
|
2023-02-14 05:39:46 -07:00
|
|
|
let cfg = config.services.xinCA;
|
|
|
|
in with lib; {
|
2023-02-10 12:43:59 -07:00
|
|
|
options = {
|
2023-02-14 05:39:46 -07:00
|
|
|
services.xinCA = {
|
2023-02-10 12:43:59 -07:00
|
|
|
enable = mkEnableOption "Configure host as a xin certificate authority.";
|
|
|
|
|
|
|
|
user = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "step-ca";
|
|
|
|
description = ''
|
|
|
|
User who will own the CA key material.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
imports = [ ../modules/ts-rev-prox.nix ];
|
2023-02-14 05:39:46 -07:00
|
|
|
config = mkIf cfg.enable {
|
2023-02-10 12:43:59 -07:00
|
|
|
sops.secrets = {
|
|
|
|
ca_password = {
|
|
|
|
mode = "400";
|
2023-02-14 05:39:46 -07:00
|
|
|
owner = cfg.user;
|
2023-02-10 12:43:59 -07:00
|
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
|
|
};
|
|
|
|
"defaults.json" = {
|
|
|
|
mode = "400";
|
2023-02-14 05:39:46 -07:00
|
|
|
owner = cfg.user;
|
2023-02-10 12:43:59 -07:00
|
|
|
path = "/var/lib/step-ca/config/defaults.json";
|
|
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
|
|
};
|
|
|
|
"intermediate_ca.crt" = {
|
|
|
|
mode = "444";
|
2023-02-14 05:39:46 -07:00
|
|
|
owner = cfg.user;
|
2023-02-10 12:43:59 -07:00
|
|
|
path = "/var/lib/step-ca/certs/intermediate_ca.crt";
|
|
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
|
|
};
|
|
|
|
"intermediate_ca_key" = {
|
|
|
|
mode = "400";
|
2023-02-14 05:39:46 -07:00
|
|
|
owner = cfg.user;
|
2023-02-10 12:43:59 -07:00
|
|
|
path = "/var/lib/step-ca/secrets/intermediate_ca_key";
|
|
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
|
|
};
|
|
|
|
"root_ca.crt" = {
|
|
|
|
mode = "444";
|
2023-02-14 05:39:46 -07:00
|
|
|
owner = cfg.user;
|
2023-02-10 12:43:59 -07:00
|
|
|
path = "/var/lib/step-ca/certs/root_ca.crt";
|
|
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
|
|
};
|
|
|
|
"root_ca_key" = {
|
|
|
|
mode = "400";
|
2023-02-14 05:39:46 -07:00
|
|
|
owner = cfg.user;
|
2023-02-10 12:43:59 -07:00
|
|
|
path = "/var/lib/step-ca/secrets/root_ca_key";
|
|
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
|
|
};
|
2023-02-14 05:39:46 -07:00
|
|
|
"jwk_encryptedKey" = {
|
|
|
|
mode = "400";
|
|
|
|
owner = cfg.user;
|
|
|
|
path = "/var/lib/step-ca/secrets/jwk_encryptedKey";
|
|
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
|
|
};
|
2023-02-10 12:43:59 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
networking.hosts = { "127.0.0.1" = [ "ca.bolddaemon.com" ]; };
|
|
|
|
|
2023-02-11 05:44:22 -07:00
|
|
|
environment.sessionVariables = { STEPPATH = "/var/lib/step-ca"; };
|
2023-02-21 05:44:17 -07:00
|
|
|
environment.systemPackages = with pkgs; [ step-cli opensc ];
|
2023-02-11 05:44:22 -07:00
|
|
|
|
2023-02-10 12:43:59 -07:00
|
|
|
services.step-ca = {
|
|
|
|
enable = true;
|
|
|
|
intermediatePasswordFile = "${config.sops.secrets.ca_password.path}";
|
|
|
|
address = "127.0.0.1";
|
|
|
|
port = 443;
|
|
|
|
settings = {
|
|
|
|
root = config.sops.secrets."root_ca.crt".path;
|
|
|
|
crt = config.sops.secrets."intermediate_ca.crt".path;
|
|
|
|
key = config.sops.secrets.intermediate_ca_key.path;
|
|
|
|
dnsNames = [ "ca.bolddaemon.com" ];
|
|
|
|
logger = { format = "text"; };
|
|
|
|
db = {
|
|
|
|
type = "badgerv2";
|
|
|
|
dataSource = "/var/lib/step-ca/db";
|
|
|
|
badgerFileLoadingMode = "";
|
|
|
|
};
|
|
|
|
authority = {
|
2023-02-15 12:25:27 -07:00
|
|
|
provisioners = [{
|
|
|
|
type = "SSHPOP";
|
|
|
|
name = "sshpop";
|
|
|
|
claims = { enableSSHCA = true; };
|
|
|
|
}];
|
2023-02-10 12:43:59 -07:00
|
|
|
};
|
2023-02-14 05:39:46 -07:00
|
|
|
|
2023-02-10 12:43:59 -07:00
|
|
|
tls = {
|
|
|
|
cipherSuites = [
|
|
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
|
|
|
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
|
|
|
];
|
|
|
|
minVersion = 1.2;
|
|
|
|
maxVersion = 1.3;
|
|
|
|
renegotiation = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|