JakeHillion/nixos
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

step-ca: enable server on sodium and load root certs
All checks were successful
flake / flake (push) Successful in 1m14s
Details

Browse Source
This commit is contained in:
Jake Hillion 2024-08-01 19:16:06 +01:00
parent f96f03ba0c
commit db5dc5aee6
11 changed files with 113 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/sodium.pop.ts.hillion.co.uk/default.nix
View File

@ -30,6 +30,9 @@
chmod +t /cache/tmp chmod +t /cache/tmp
''; '';
## CA server
custom.ca.service.enable = true;
### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead. ### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
fileSystems."/tmp" = { fileSystems."/tmp" = {
device = "/cache/tmp"; device = "/cache/tmp";

11
modules/ca/README.md Normal file
View File

@ -0,0 +1,11 @@
# ca
Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.
Creating a 10 year root certificate:
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h
Creating the intermediate key:
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem

13
modules/ca/cert.pem Normal file
View File

@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIIB+TCCAVqgAwIBAgIQIZdaIUsuJdjnu7DQP1N8oTAKBggqhkjOPQQDBDAXMRUw
EwYDVQQDEwxIaWxsaW9uIEFDTUUwHhcNMjQwODAxMjIyMjEwWhcNMzQwNzMwMjIy
MjEwWjAXMRUwEwYDVQQDEwxIaWxsaW9uIEFDTUUwgZswEAYHKoZIzj0CAQYFK4EE
ACMDgYYABAAJI3z1PrV97EFc1xaENcr6ML1z6xdXTy+ReHtf42nWsw+c3WDKzJ45
+xHJ/p2BTOR5+NQ7RGQQ68zmFJnEYTYDogAw6U9YzxxDGlG1HlgnZ9PPmXoF+PFl
Zy2WZCiDPx5KDJcjTPzLV3ITt4fl3PMA12BREVeonvrvRLcpVrMfS2b7wKNFMEMw
DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFFBT
fMT0uUbS+lVUbGKK8/SZHPISMAoGCCqGSM49BAMEA4GMADCBiAJCAPNIwrQztPrN
MaHB3J0lNVODIGwQWblt99vnjqIWOKJhgckBxaElyInsyt8dlnmTCpOCJdY4BA+K
Nr87AfwIWdAaAkIBV5i4zXPXVKblGKnmM0FomFSbq2cYE3pmi5BO1StakH1kEHlf
vbkdwFgkw2MlARp0Ka3zbWivBG9zjPoZtsL/8tk=
-----END CERTIFICATE-----

14
modules/ca/consumer.nix Normal file
View File

@ -0,0 +1,14 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.ca.consumer;
in
{
options.custom.ca.consumer = {
enable = lib.mkEnableOption "ca.service";
};
config = lib.mkIf cfg.enable {
security.pki.certificates = [ (builtins.readFile ./cert.pem) ];
};
}

8
modules/ca/default.nix Normal file
View File

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./consumer.nix
./service.nix
];
}

45
modules/ca/service.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.ca.service;
in
{
options.custom.ca.service = {
enable = lib.mkEnableOption "ca.service";
};
config = lib.mkIf cfg.enable {
services.step-ca = {
enable = true;
address = config.custom.dns.tailscale.ipv4;
port = 8443;
intermediatePasswordFile = "/data/system/ca/intermediate.psk";
settings = {
root = ./cert.pem;
crt = "/data/system/ca/intermediate.crt";
key = "/data/system/ca/intermediate.pem";
dnsNames = [ "ca.ts.hillion.co.uk" ];
logger = { format = "text"; };
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
};
authority = {
provisioners = [
{
type = "ACME";
name = "acme";
}
];
};
};
};
};
}

1
modules/default.nix
View File

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./backups/default.nix ./backups/default.nix
./ca/default.nix
./chia.nix ./chia.nix
./defaults.nix ./defaults.nix
./desktop/awesome/default.nix ./desktop/awesome/default.nix

1
modules/defaults.nix
View File

@ -54,6 +54,7 @@
networking.firewall.enable = true; networking.firewall.enable = true;
# Delegation # Delegation
custom.ca.consumer.enable = true;
custom.dns.enable = true; custom.dns.enable = true;
custom.home.defaults = true; custom.home.defaults = true;
custom.hostinfo.enable = true; custom.hostinfo.enable = true;

16
modules/impermanence.nix
View File

@ -2,7 +2,6 @@
let let
cfg = config.custom.impermanence; cfg = config.custom.impermanence;
listIf = (enable: x: if enable then x else [ ]);
in in
{ {
options.custom.impermanence = { options.custom.impermanence = {
@ -45,13 +44,14 @@ in
directories = [ directories = [
"/etc/nixos" "/etc/nixos"
] ++ (listIf config.services.tailscale.enable [ "/var/lib/tailscale" ]) ++ ] ++ (lib.lists.optional config.services.tailscale.enable "/var/lib/tailscale") ++
(listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++ (lib.lists.optional config.services.zigbee2mqtt.enable config.services.zigbee2mqtt.dataDir) ++
(listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++ (lib.lists.optional config.services.postgresql.enable config.services.postgresql.dataDir) ++
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++ (lib.lists.optional config.hardware.bluetooth.enable "/var/lib/bluetooth") ++
(listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++ (lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
(listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]) ++ (lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
(listIf config.services.tang.enable [ "/var/lib/private/tang" ]); (lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
(lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
}; };
home-manager.users = home-manager.users =

1
modules/services/authoritative_dns.nix
View File

@ -32,6 +32,7 @@ in
86400 NS ns1.hillion.co.uk. 86400 NS ns1.hillion.co.uk.
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
deluge.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk. deluge.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
graphs.router.home 21600 CNAME router.home.ts.hillion.co.uk. graphs.router.home 21600 CNAME router.home.ts.hillion.co.uk.
prowlarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk. prowlarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.

10
modules/services/downloads.nix
View File

@ -29,10 +29,16 @@ in
virtualHosts = builtins.listToAttrs (builtins.map virtualHosts = builtins.listToAttrs (builtins.map
(x: { (x: {
name = "http://${x}.downloads.ts.hillion.co.uk"; name = "${x}.downloads.ts.hillion.co.uk";
value = { value = {
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ]; listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock"; extraConfig = ''
reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock
tls {
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
}
'';
}; };
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]); }) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
}; };