add ca for retiolum

This commit is contained in:
Jörg Thalheim 2021-12-23 12:55:24 +01:00
parent 3ab8437445
commit a8bf646372
4 changed files with 82 additions and 0 deletions

View File

@ -3,5 +3,6 @@
outputs = { self }: { outputs = { self }: {
nixosModules.retiolum = import ./modules/retiolum; nixosModules.retiolum = import ./modules/retiolum;
nixosModules.ca = import ./modules/ca;
}; };
} }

48
modules/ca/default.nix Normal file
View File

@ -0,0 +1,48 @@
{ config, lib, pkgs, ... }: let
cfg = config.retiolum.ca;
in {
options.retiolum.ca = {
rootCA = lib.mkOption {
type = lib.types.str;
readOnly = true;
default = builtins.readFile ./root-ca.crt;
};
intermediateCA = lib.mkOption {
type = lib.types.str;
readOnly = true;
default = builtins.readFile ./intermediate-ca.crt;
};
acmeURL = lib.mkOption {
type = lib.types.str;
readOnly = true;
default = "https://ca.r/acme/acme/directory";
description = ''
security.acme.certs.$name.server = config.retiolum.ca.acmeURL;
'';
};
trustRoot = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
whether to trust the krebs root CA.
This implies that krebs can forge a certficate for every domain
'';
};
trustIntermediate = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
whether to trust the krebs ACME CA.
this only trusts the intermediate cert for .w and .r domains
'';
};
};
config = lib.mkMerge [
(lib.mkIf cfg.trustRoot {
security.pki.certificates = [ cfg.rootCA ];
})
(lib.mkIf cfg.trustIntermediate {
security.pki.certificates = [ cfg.intermediateCA ];
})
];
}

View File

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICWTCCAcKgAwIBAgIQbAfVX2J0VIzhEYSPVAB4SzANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl
YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq
hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMTAwODQ5
MDZaFw0yMjEyMTAwODQ5MDZaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAATL8dNO7ajNe60Km7wHrG06tCUj5kQKWsrQ
Ay7KX8zO+RwQpYhd/i4bqpeGkGWh8uHLZ+164FlZaLgHO10DRja5o4GAMH4wDgYD
VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFMt9yJED
mPRhXsrNZ0x+GtzjdnTLMB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv
MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEANo/2
teIuEsniwxVdqu+ukjqOXHIkBK7F91+G7BuDjBlx2U96v1MwsmT4D9upajERnOOD
tLx990Sj4t3avRTpytt+qLeIMIxt62YksUXVjDWndqaDcEUat5ZVEQsZ0ZmjOHrA
BaB65eU0xhJWKAZdk55GqHEFz3Ym4rx7WUaomzk=
-----END CERTIFICATE-----

18
modules/ca/root-ca.crt Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC0jCCAjugAwIBAgIJAKeARo6lDD0YMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
VQQGEwJaWjESMBAGA1UECAwJc3RhdGVsZXNzMRAwDgYDVQQKDAdLcmVic2NvMQsw
CQYDVQQLDAJLTTEWMBQGA1UEAwwNS3JlYnMgUm9vdCBDQTEnMCUGCSqGSIb3DQEJ
ARYYcm9vdC1jYUBzeW50YXgtZmVobGVyLmRlMB4XDTE0MDYxMTA4NTMwNloXDTM5
MDIwMTA4NTMwNlowgYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3Mx
EDAOBgNVBAoMB0tyZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBS
b290IENBMScwJQYJKoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMs/WNyeQziccllLqom7bfCjlh6/
/qx9p6UOqpw96YOOT3sh/mNSBLyNxIUJbWsU7dN5hT7HkR7GwzpfKDtudd9qiZeU
QNYQ+OL0HdOnApjdPqdspZfKxKTXyC1T1vJlaODsM1RBrjLK9RUcQZeNhgg3iM9B
HptOCrMI2fjCdZuVAgMBAAGjUDBOMB0GA1UdDgQWBBSKeq01+rAwp7yAXwzlwZBo
3EGVLzAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGVLzAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBBQUAA4GBAIWIffZuQ43ddY2/ZnjAxPCRpM3AjoKIwEj9
GZuLJJ1sB9+/PAPmRrpmUniRkPLD4gtmolDVuoLDNAT9os7/v90yg5dOuga33Ese
725musUbhEoQE1A1oVHrexBs2sQOplxHKsVXoYJp2/trQdqvaNaEKc3EeVnzFC63
80WiO952
-----END CERTIFICATE-----