add step ca

2023-12-08 16:07:18 +01:00
parent 5c882e0311
commit b1696d9082
7 changed files with 116 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -69,6 +69,7 @@
        ./modules/kavita.nix
        ./modules/netdata.nix
        ./modules/invidious.nix
+        ./modules/step-ca.nix
        ./modules/tmpfs.nix
        ### Hardware ###
        ./modules/hardware/ssd.nix
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@@ -62,9 +62,21 @@ in
          "domain" = "yt.local";
          "answer" = ip;
         }
+         {
+          "domain" = "nextcloud.local";
+          "answer" = wireguardIp;
+         }
+         {
+          "domain" = "kavita.local";
+          "answer" = wireguardIp;
+         }
+         {
+          "domain" = "yt.local";
+          "answer" = wireguardIp;
+         }
         {
           "domain" = "turnserver.local";
-           "answer" = "192.168.2.1";
+           "answer" = wireguardIp;
         }
         {
          "domain" = "inverter.local";
--- a/modules/invidious.nix
+++ b/modules/invidious.nix
@@ -38,6 +38,8 @@ in

      use_pubsub_feeds = false;
      channel_refresh_interval = "15m";
+      dark_mode = "dark";
+      autoplay = true;
    };

    extraSettingsFile = config.age.secrets.invidious-extra-settings.path;
@@ -46,8 +48,6 @@ in
  };

  services.nginx.virtualHosts."${fqdn}" = {
-    listenAddresses = [ vars.ipv4 vars.wireguardIp ];
-
    locations."/" = {
      recommendedProxySettings = true;
      proxyPass = "http://127.0.0.1:8007";
--- a/modules/step-ca.nix
+++ b/modules/step-ca.nix
@@ -0,0 +1,86 @@
+{ pkgs, lib, ... }:
+let
+  root_ca =
+    ''
+-----BEGIN CERTIFICATE-----
+MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
+MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
+MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
+IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
+f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
+y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
+HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
+AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
+gpuVkfVkA8gQCXNs5F9TnxA=
+-----END CERTIFICATE-----
+    '';
+  intermediate_ca =
+    ''
+-----BEGIN CERTIFICATE-----
+MIIBtDCCAVqgAwIBAgIQbEVEV7LgtjVWO+qBrrmgETAKBggqhkjOPQQDAjAkMQww
+CgYDVQQKEwNLb3AxFDASBgNVBAMTC0tvcCBSb290IENBMB4XDTIzMTIwODE0NTEx
+N1oXDTMzMTIwNTE0NTExN1owLDEMMAoGA1UEChMDS29wMRwwGgYDVQQDExNLb3Ag
+SW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmv7jg7Cs
+4L5v52+3yUmn79hZFS2vmm/5wwcUCL63dokEXQsHgbEjaRKsF/MW0yJDLTB6Sdhl
+pCvoNJqITWuEN6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwHQYDVR0OBBYEFDgVolMCmdrhDIXhuIs4q/KwRKNLMB8GA1UdIwQYMBaAFPQF
+bcIqVuRwwS32UR9SmQpyCgn6MAoGCCqGSM49BAMCA0gAMEUCIQCQa01E+UvAJ8KR
+DFfDducZUpW4tZRN35lqoge7T9nM2QIgK4FFt1NqDqcjOSabAXPOQ68bvdxlHW0y
+AgN9qNc3Jbo=
+-----END CERTIFICATE-----
+'';
+
+in
+{
+  age.secrets.step-ca-pw = {
+    file = ../secrets/step-ca-pw.age;
+  };
+  age.secrets.step-ca-key = {
+    file = ../secrets/step-ca-key.age;
+  };
+  services.step-ca = {
+    enable = true;
+    address = "127.0.0.1";
+    port = 8443;
+    intermediatePasswordFile = config.age.secrets.step-ca-pw.path;
+    settings = {
+      dnsNames = [ "localhost" "127.0.0.1" "*.local" ];
+      root = pkgs.writeTextFile {
+        name = "root.ca";
+        text = root_ca;
+      };
+      crt = pkgs.writeTextFile {
+        name = "intermediate.ca";
+        text = intermediate_ca;
+      };
+      key = config.age.secrets.step_intermediate_ca_key.path;
+      db = {
+        type = "badger";
+        dataSource = "/var/lib/step-ca/db";
+      };
+      authority = {
+        claims = {
+          minTLSCertDuration = "5m";
+          maxTLSCertDuration = "24h";
+          defaultTLSCertDuration = "24h";
+        };
+        provisioners = [
+          {
+            type = "ACME";
+            name = "acme";
+            forceCN = true;
+          }
+        ];
+      };
+      tls = {
+        cipherSuites = [
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ];
+	minVersion = "1.2";
+	maxVersion = "1.3";
+	renegotiation = "false";
+      };
+    };
+  };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -20,5 +20,6 @@ in
  "matrix-registration.age".publicKeys = [ nix-test-vm server kop ];
  "paperless.age".publicKeys = [ nix-test-vm server kop ];
  "kavita.age".publicKeys = [ nix-test-vm server kop ];
-  "invidious-extra-settings.age".publicKeys = [ nix-test-vm server kop ];
+  "step-ca-pw.age".publicKeys = [ nix-test-vm server kop ];
+  "step-ca-key.age".publicKeys = [ nix-test-vm server kop ];
 }
--- a/secrets/step-ca-key.age
+++ b/secrets/step-ca-key.age
--- a/secrets/step-ca-pw.age
+++ b/secrets/step-ca-pw.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw OgXEZi4GHlh0htigcyT0c86ZlZvmv5ve6g0Dnk9mhS8
+57hPI3DO/2Lic5JZ/4Cgq1y0tYoZKc+E6LwS62Zi0kg
+-> ssh-ed25519 IV3DkQ YG3gxtuOx5sfD7rwAClr+MrFzEgw2sgfpxzZDyT9nj4
+VIP3Hkk9ZBG9BHNPHt4C6LazylU6htJ6gmdamqAYLUw
+-> ssh-ed25519 DCzi1A DcsbrGWEyzUB7QKGvlMU9CMB/bq7JVz/aSz7uJprQRg
+NpBDT786hL0GZNaY1IsDnU9iFxlYZs8ti1FAfBeHBIQ
+-> z-grease |WDf ~K7q9K *xzH^n6{
+6G9KAajGo/o6dcYb/MAOE7AIIZKTTMrN9fh9ACkINLB38ZrREUCsrJDE90sx62nX
+MOJKZ3k4
+--- ExlgUArhnqSMlZwWWoFdM/Ugc3fLKbQ9ZCguzqUIlkM
+ò<EFBFBD>F!º<>à0QÀ†¶ÎQm¾[ öeç«Ü6–M“ýÕûéxB