66 lines
1.8 KiB
Nix
66 lines
1.8 KiB
Nix
|
# generate intermediate certificate with generate-krebs-intermediate-ca
|
||
|
{ config, lib, pkgs, ... }: let
|
||
|
domain = "ca.r";
|
||
|
in {
|
||
|
security.acme = {
|
||
|
acceptTerms = true; # kinda pointless since we never use upstream
|
||
|
email = "spam@krebsco.de";
|
||
|
certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop
|
||
|
};
|
||
|
services.nginx = {
|
||
|
enable = true;
|
||
|
recommendedProxySettings = true;
|
||
|
virtualHosts.${domain} = {
|
||
|
forceSSL = true;
|
||
|
enableACME = true;
|
||
|
locations."/" = {
|
||
|
proxyPass = "https://localhost:1443";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
krebs.secret.files.krebsAcme = {
|
||
|
path = "/var/lib/step-ca/intermediate_ca.key";
|
||
|
owner.name = "root";
|
||
|
mode = "1444";
|
||
|
source-path = builtins.toString <secrets> + "/acme_ca.key";
|
||
|
};
|
||
|
services.step-ca = {
|
||
|
enable = true;
|
||
|
intermediatePasswordFile = "/dev/null";
|
||
|
address = "0.0.0.0";
|
||
|
port = 1443;
|
||
|
settings = {
|
||
|
root = pkgs.writeText "root.crt" config.krebs.ssl.rootCA;
|
||
|
crt = pkgs.writeText "intermediate.crt" config.krebs.ssl.intermediateCA;
|
||
|
key = "/var/lib/step-ca/intermediate_ca.key";
|
||
|
dnsNames = [ domain ];
|
||
|
logger.format = "text";
|
||
|
db = {
|
||
|
type = "badger";
|
||
|
dataSource = "/var/lib/step-ca/db";
|
||
|
};
|
||
|
authority = {
|
||
|
provisioners = [{
|
||
|
type = "ACME";
|
||
|
name = "acme";
|
||
|
forceCN = true;
|
||
|
}];
|
||
|
claims = {
|
||
|
maxTLSCertDuration = "2160h";
|
||
|
defaultTLSCertDuration = "2160h";
|
||
|
};
|
||
|
backdate = "1m0s";
|
||
|
};
|
||
|
tls = {
|
||
|
cipherSuites = [
|
||
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
|
||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||
|
];
|
||
|
minVersion = 1.2;
|
||
|
maxVersion = 1.3;
|
||
|
renegotiation = false;
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|