119 lines
3.1 KiB
Nix
119 lines
3.1 KiB
Nix
{ config
|
|
, lib
|
|
, pkgs
|
|
, ...
|
|
}:
|
|
let
|
|
cfg = config.services.xinCA;
|
|
in
|
|
with lib; {
|
|
options = {
|
|
services.xinCA = {
|
|
enable = mkEnableOption "Configure host as a xin certificate authority.";
|
|
|
|
user = mkOption {
|
|
type = types.str;
|
|
default = "step-ca";
|
|
description = ''
|
|
User who will own the CA key material.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
imports = [ ../modules/ts-rev-prox.nix ];
|
|
config = mkIf cfg.enable {
|
|
sops.secrets = {
|
|
ca_password = {
|
|
mode = "400";
|
|
owner = cfg.user;
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
};
|
|
"defaults.json" = {
|
|
mode = "400";
|
|
owner = cfg.user;
|
|
path = "/var/lib/step-ca/config/defaults.json";
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
};
|
|
"intermediate_ca.crt" = {
|
|
mode = "444";
|
|
owner = cfg.user;
|
|
path = "/var/lib/step-ca/certs/intermediate_ca.crt";
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
};
|
|
"intermediate_ca_key" = {
|
|
mode = "400";
|
|
owner = cfg.user;
|
|
path = "/var/lib/step-ca/secrets/intermediate_ca_key";
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
};
|
|
"root_ca.crt" = {
|
|
mode = "444";
|
|
owner = cfg.user;
|
|
path = "/var/lib/step-ca/certs/root_ca.crt";
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
};
|
|
"root_ca_key" = {
|
|
mode = "400";
|
|
owner = cfg.user;
|
|
path = "/var/lib/step-ca/secrets/root_ca_key";
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
};
|
|
"jwk_encryptedKey" = {
|
|
mode = "400";
|
|
owner = cfg.user;
|
|
path = "/var/lib/step-ca/secrets/jwk_encryptedKey";
|
|
sopsFile = config.xin-secrets.cert_authority;
|
|
};
|
|
};
|
|
|
|
networking.hosts = { "127.0.0.1" = [ "ca.bolddaemon.com" ]; };
|
|
|
|
environment.sessionVariables = { STEPPATH = "/var/lib/step-ca"; };
|
|
environment.systemPackages = with pkgs; [
|
|
step-cli
|
|
step-kms-plugin
|
|
opensc
|
|
libressl
|
|
];
|
|
|
|
services.step-ca = {
|
|
enable = true;
|
|
intermediatePasswordFile = "${config.sops.secrets.ca_password.path}";
|
|
address = "127.0.0.1";
|
|
port = 443;
|
|
settings = {
|
|
root = config.sops.secrets."root_ca.crt".path;
|
|
crt = config.sops.secrets."intermediate_ca.crt".path;
|
|
key = config.sops.secrets.intermediate_ca_key.path;
|
|
dnsNames = [ "ca.bolddaemon.com" ];
|
|
logger = { format = "text"; };
|
|
db = {
|
|
type = "badgerv2";
|
|
dataSource = "/var/lib/step-ca/db";
|
|
badgerFileLoadingMode = "";
|
|
};
|
|
authority = {
|
|
provisioners = [
|
|
{
|
|
type = "SSHPOP";
|
|
name = "sshpop";
|
|
claims = { enableSSHCA = true; };
|
|
}
|
|
];
|
|
};
|
|
|
|
tls = {
|
|
cipherSuites = [
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
|
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
|
];
|
|
minVersion = 1.2;
|
|
maxVersion = 1.3;
|
|
renegotiation = false;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|