kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add step ca

Browse Source
This commit is contained in:
Kopatz
2023-12-08 16:07:18 +01:00
parent 5c882e0311
commit b1696d9082
7 changed files with 116 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
modules/adguard.nix
View File

@@ -62,9 +62,21 @@ in
"domain" = "yt.local";
"answer" = ip;
}
{
"domain" = "nextcloud.local";
"answer" = wireguardIp;
}
{
"domain" = "kavita.local";
"answer" = wireguardIp;
}
{
"domain" = "yt.local";
"answer" = wireguardIp;
}
{
"domain" = "turnserver.local";
"answer" = "192.168.2.1";
"answer" = wireguardIp;
}
{
"domain" = "inverter.local";

4
modules/invidious.nix
View File

@@ -38,6 +38,8 @@ in
use_pubsub_feeds = false;
channel_refresh_interval = "15m";
dark_mode = "dark";
autoplay = true;
};
extraSettingsFile = config.age.secrets.invidious-extra-settings.path;
@@ -46,8 +48,6 @@ in
};
services.nginx.virtualHosts."${fqdn}" = {
listenAddresses = [ vars.ipv4 vars.wireguardIp ];
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://127.0.0.1:8007";

86
modules/step-ca.nix Normal file
View File

@@ -0,0 +1,86 @@
{ pkgs, lib, ... }:
let
root_ca =
''
-----BEGIN CERTIFICATE-----
MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
gpuVkfVkA8gQCXNs5F9TnxA=
-----END CERTIFICATE-----
'';
intermediate_ca =
''
-----BEGIN CERTIFICATE-----
MIIBtDCCAVqgAwIBAgIQbEVEV7LgtjVWO+qBrrmgETAKBggqhkjOPQQDAjAkMQww
CgYDVQQKEwNLb3AxFDASBgNVBAMTC0tvcCBSb290IENBMB4XDTIzMTIwODE0NTEx
N1oXDTMzMTIwNTE0NTExN1owLDEMMAoGA1UEChMDS29wMRwwGgYDVQQDExNLb3Ag
SW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmv7jg7Cs
4L5v52+3yUmn79hZFS2vmm/5wwcUCL63dokEXQsHgbEjaRKsF/MW0yJDLTB6Sdhl
pCvoNJqITWuEN6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFDgVolMCmdrhDIXhuIs4q/KwRKNLMB8GA1UdIwQYMBaAFPQF
bcIqVuRwwS32UR9SmQpyCgn6MAoGCCqGSM49BAMCA0gAMEUCIQCQa01E+UvAJ8KR
DFfDducZUpW4tZRN35lqoge7T9nM2QIgK4FFt1NqDqcjOSabAXPOQ68bvdxlHW0y
AgN9qNc3Jbo=
-----END CERTIFICATE-----
'';
in
{
age.secrets.step-ca-pw = {
file = ../secrets/step-ca-pw.age;
};
age.secrets.step-ca-key = {
file = ../secrets/step-ca-key.age;
};
services.step-ca = {
enable = true;
address = "127.0.0.1";
port = 8443;
intermediatePasswordFile = config.age.secrets.step-ca-pw.path;
settings = {
dnsNames = [ "localhost" "127.0.0.1" "*.local" ];
root = pkgs.writeTextFile {
name = "root.ca";
text = root_ca;
};
crt = pkgs.writeTextFile {
name = "intermediate.ca";
text = intermediate_ca;
};
key = config.age.secrets.step_intermediate_ca_key.path;
db = {
type = "badger";
dataSource = "/var/lib/step-ca/db";
};
authority = {
claims = {
minTLSCertDuration = "5m";
maxTLSCertDuration = "24h";
defaultTLSCertDuration = "24h";
};
provisioners = [
{
type = "ACME";
name = "acme";
forceCN = true;
}
];
};
tls = {
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
];
minVersion = "1.2";
maxVersion = "1.3";
renegotiation = "false";
};
};
};
}