kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add step ca

Browse Source
This commit is contained in:
Kopatz
2023-12-08 16:07:18 +01:00
parent 5c882e0311
commit b1696d9082
7 changed files with 116 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
flake.nix
View File

@@ -69,6 +69,7 @@
./modules/kavita.nix ./modules/kavita.nix
./modules/netdata.nix ./modules/netdata.nix
./modules/invidious.nix ./modules/invidious.nix
./modules/step-ca.nix
./modules/tmpfs.nix ./modules/tmpfs.nix
### Hardware ### ### Hardware ###
./modules/hardware/ssd.nix ./modules/hardware/ssd.nix

14
modules/adguard.nix
View File

@@ -62,9 +62,21 @@ in
"domain" = "yt.local"; "domain" = "yt.local";
"answer" = ip; "answer" = ip;
} }
{
"domain" = "nextcloud.local";
"answer" = wireguardIp;
}
{
"domain" = "kavita.local";
"answer" = wireguardIp;
}
{
"domain" = "yt.local";
"answer" = wireguardIp;
}
{ {
"domain" = "turnserver.local"; "domain" = "turnserver.local";
"answer" = "192.168.2.1"; "answer" = wireguardIp;
} }
{ {
"domain" = "inverter.local"; "domain" = "inverter.local";

4
modules/invidious.nix
View File

@@ -38,6 +38,8 @@ in
use_pubsub_feeds = false; use_pubsub_feeds = false;
channel_refresh_interval = "15m"; channel_refresh_interval = "15m";
dark_mode = "dark";
autoplay = true;
}; };
extraSettingsFile = config.age.secrets.invidious-extra-settings.path; extraSettingsFile = config.age.secrets.invidious-extra-settings.path;
@@ -46,8 +48,6 @@ in
}; };
services.nginx.virtualHosts."${fqdn}" = { services.nginx.virtualHosts."${fqdn}" = {
listenAddresses = [ vars.ipv4 vars.wireguardIp ];
locations."/" = { locations."/" = {
recommendedProxySettings = true; recommendedProxySettings = true;
proxyPass = "http://127.0.0.1:8007"; proxyPass = "http://127.0.0.1:8007";

86
modules/step-ca.nix Normal file
View File

@@ -0,0 +1,86 @@
{ pkgs, lib, ... }:
let
root_ca =
''
-----BEGIN CERTIFICATE-----
MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
gpuVkfVkA8gQCXNs5F9TnxA=
-----END CERTIFICATE-----
'';
intermediate_ca =
''
-----BEGIN CERTIFICATE-----
MIIBtDCCAVqgAwIBAgIQbEVEV7LgtjVWO+qBrrmgETAKBggqhkjOPQQDAjAkMQww
CgYDVQQKEwNLb3AxFDASBgNVBAMTC0tvcCBSb290IENBMB4XDTIzMTIwODE0NTEx
N1oXDTMzMTIwNTE0NTExN1owLDEMMAoGA1UEChMDS29wMRwwGgYDVQQDExNLb3Ag
SW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmv7jg7Cs
4L5v52+3yUmn79hZFS2vmm/5wwcUCL63dokEXQsHgbEjaRKsF/MW0yJDLTB6Sdhl
pCvoNJqITWuEN6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFDgVolMCmdrhDIXhuIs4q/KwRKNLMB8GA1UdIwQYMBaAFPQF
bcIqVuRwwS32UR9SmQpyCgn6MAoGCCqGSM49BAMCA0gAMEUCIQCQa01E+UvAJ8KR
DFfDducZUpW4tZRN35lqoge7T9nM2QIgK4FFt1NqDqcjOSabAXPOQ68bvdxlHW0y
AgN9qNc3Jbo=
-----END CERTIFICATE-----
'';
in
{
age.secrets.step-ca-pw = {
file = ../secrets/step-ca-pw.age;
};
age.secrets.step-ca-key = {
file = ../secrets/step-ca-key.age;
};
services.step-ca = {
enable = true;
address = "127.0.0.1";
port = 8443;
intermediatePasswordFile = config.age.secrets.step-ca-pw.path;
settings = {
dnsNames = [ "localhost" "127.0.0.1" "*.local" ];
root = pkgs.writeTextFile {
name = "root.ca";
text = root_ca;
};
crt = pkgs.writeTextFile {
name = "intermediate.ca";
text = intermediate_ca;
};
key = config.age.secrets.step_intermediate_ca_key.path;
db = {
type = "badger";
dataSource = "/var/lib/step-ca/db";
};
authority = {
claims = {
minTLSCertDuration = "5m";
maxTLSCertDuration = "24h";
defaultTLSCertDuration = "24h";
};
provisioners = [
{
type = "ACME";
name = "acme";
forceCN = true;
}
];
};
tls = {
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
];
minVersion = "1.2";
maxVersion = "1.3";
renegotiation = "false";
};
};
};
}

3
secrets/secrets.nix
View File

@@ -20,5 +20,6 @@ in
"matrix-registration.age".publicKeys = [ nix-test-vm server kop ]; "matrix-registration.age".publicKeys = [ nix-test-vm server kop ];
"paperless.age".publicKeys = [ nix-test-vm server kop ]; "paperless.age".publicKeys = [ nix-test-vm server kop ];
"kavita.age".publicKeys = [ nix-test-vm server kop ]; "kavita.age".publicKeys = [ nix-test-vm server kop ];
"invidious-extra-settings.age".publicKeys = [ nix-test-vm server kop ]; "step-ca-pw.age".publicKeys = [ nix-test-vm server kop ];
"step-ca-key.age".publicKeys = [ nix-test-vm server kop ];
} }

BIN
secrets/step-ca-key.age Normal file
View File

Binary file not shown.

12
secrets/step-ca-pw.age Normal file
View File

@@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 yfCCMw OgXEZi4GHlh0htigcyT0c86ZlZvmv5ve6g0Dnk9mhS8
57hPI3DO/2Lic5JZ/4Cgq1y0tYoZKc+E6LwS62Zi0kg
-> ssh-ed25519 IV3DkQ YG3gxtuOx5sfD7rwAClr+MrFzEgw2sgfpxzZDyT9nj4
VIP3Hkk9ZBG9BHNPHt4C6LazylU6htJ6gmdamqAYLUw
-> ssh-ed25519 DCzi1A DcsbrGWEyzUB7QKGvlMU9CMB/bq7JVz/aSz7uJprQRg
NpBDT786hL0GZNaY1IsDnU9iFxlYZs8ti1FAfBeHBIQ
-> z-grease |WDf ~K7q9K *xzH^n6{
6G9KAajGo/o6dcYb/MAOE7AIIZKTTMrN9fh9ACkINLB38ZrREUCsrJDE90sx62nX
MOJKZ3k4
--- ExlgUArhnqSMlZwWWoFdM/Ugc3fLKbQ9ZCguzqUIlkM
ò<EFBFBD>F!º<>à0QÀ†¶ÎQm¾[ öeç«Ü6M“ýÕûéxB