1 files changed, 67 insertions, 0 deletions

diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix
new file mode 100644
index 00000000..056aa7ae
--- /dev/null
+++ b/krebs/2configs/acme.nix
@@ -0,0 +1,67 @@
+# generate intermediate certificate with generate-krebs-intermediate-ca
+{ config, lib, pkgs, ... }: let
+  domain = "ca.r";
+in {
+  security.acme = {
+    acceptTerms = true; # kinda pointless since we never use upstream
+    email = "spam@krebsco.de";
+    certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts.${domain} = {
+      addSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "https://localhost:1443";
+      };
+      locations."= /ca.crt".alias = ../6assets/krebsAcmeCA.crt;
+    };
+  };
+  krebs.secret.files.krebsAcme = {
+    path = "/var/lib/step-ca/intermediate_ca.key";
+    owner.name = "root";
+    mode = "1444";
+    source-path = builtins.toString <secrets> + "/acme_ca.key";
+  };
+  services.step-ca = {
+    enable = true;
+    intermediatePasswordFile = "/dev/null";
+    address = "0.0.0.0";
+    port = 1443;
+    settings = {
+      root = pkgs.writeText "root.crt" config.krebs.ssl.rootCA;
+      crt = pkgs.writeText "intermediate.crt" config.krebs.ssl.intermediateCA;
+      key = "/var/lib/step-ca/intermediate_ca.key";
+      dnsNames = [ domain ];
+      logger.format = "text";
+      db = {
+        type = "badger";
+        dataSource = "/var/lib/step-ca/db";
+      };
+      authority = {
+        provisioners = [{
+          type = "ACME";
+          name = "acme";
+          forceCN = true;
+        }];
+        claims = {
+          maxTLSCertDuration = "2160h";
+          defaultTLSCertDuration = "2160h";
+        };
+        backdate = "1m0s";
+      };
+      tls = {
+        cipherSuites = [
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ];
+        minVersion = 1.2;
+        maxVersion = 1.3;
+        renegotiation = false;
+      };
+    };
+  };
+}