ca: tweak things a bit

2023-02-14 05:39:46 -07:00 · 2023-02-14 05:39:46 -07:00 · 66d414ffe8
commit 66d414ffe8
parent 2228170475
2 changed files with 25 additions and 15 deletions
--- a/configs/ca.nix
+++ b/configs/ca.nix
@ -1,7 +1,8 @@
 { config, lib, pkgs, inputs, xinlib, ... }:
-with lib; {
+let cfg = config.services.xinCA;
+in with lib; {
  options = {
-    xinCA = {
+    services.xinCA = {
      enable = mkEnableOption "Configure host as a xin certificate authority.";

      user = mkOption {
@ -15,43 +16,49 @@ with lib; {
  };

  imports = [ ../modules/ts-rev-prox.nix ];
-  config = mkIf config.xinCA.enable {
+  config = mkIf cfg.enable {
    sops.secrets = {
      ca_password = {
        mode = "400";
-        owner = config.xinCA.user;
+        owner = cfg.user;
        sopsFile = config.xin-secrets.cert_authority;
      };
      "defaults.json" = {
        mode = "400";
-        owner = config.xinCA.user;
+        owner = cfg.user;
        path = "/var/lib/step-ca/config/defaults.json";
        sopsFile = config.xin-secrets.cert_authority;
      };
      "intermediate_ca.crt" = {
        mode = "444";
-        owner = config.xinCA.user;
+        owner = cfg.user;
        path = "/var/lib/step-ca/certs/intermediate_ca.crt";
        sopsFile = config.xin-secrets.cert_authority;
      };
      "intermediate_ca_key" = {
        mode = "400";
-        owner = config.xinCA.user;
+        owner = cfg.user;
        path = "/var/lib/step-ca/secrets/intermediate_ca_key";
        sopsFile = config.xin-secrets.cert_authority;
      };
      "root_ca.crt" = {
        mode = "444";
-        owner = config.xinCA.user;
+        owner = cfg.user;
        path = "/var/lib/step-ca/certs/root_ca.crt";
        sopsFile = config.xin-secrets.cert_authority;
      };
      "root_ca_key" = {
        mode = "400";
-        owner = config.xinCA.user;
+        owner = cfg.user;
        path = "/var/lib/step-ca/secrets/root_ca_key";
        sopsFile = config.xin-secrets.cert_authority;
      };
+      "jwk_encryptedKey" = {
+        mode = "400";
+        owner = cfg.user;
+        path = "/var/lib/step-ca/secrets/jwk_encryptedKey";
+        sopsFile = config.xin-secrets.cert_authority;
+      };
    };

    networking.hosts = { "127.0.0.1" = [ "ca.bolddaemon.com" ]; };
@ -77,12 +84,15 @@ with lib; {
          badgerFileLoadingMode = "";
        };
        authority = {
-          provisioners = [{
-            type = "SSHPOP";
-            name = "sshpop";
-            claims = { enableSSHCA = true; };
-          }];
+          provisioners = [
+            {
+              type = "SSHPOP";
+              name = "sshpop";
+              claims = { enableSSHCA = true; };
+            }
+          ];
        };
+
        tls = {
          cipherSuites = [
            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
--- a/hosts/europa/default.nix
+++ b/hosts/europa/default.nix
@ -147,7 +147,7 @@ in {
    };
  };

-  #xinCA = { enable = true; };
+  services.xinCA = { enable = true; };

  services = {
    restic = {