summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/krebs/default.nix1
-rw-r--r--krebs/3modules/ssl.nix80
3 files changed, 82 insertions, 0 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 0617e15b2..2772d8d37 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -48,6 +48,7 @@ let
./secret.nix
./setuid.nix
./shadow.nix
+ ./ssl.nix
./sync-containers.nix
./tinc.nix
./tinc_graphs.nix
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index f796f0323..35ed67f5f 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -76,6 +76,7 @@ in {
"agenda.r"
"build.r"
"build.hotdog.r"
+ "ca.r"
"cgit.hotdog.r"
"irc.r"
"wiki.r"
diff --git a/krebs/3modules/ssl.nix b/krebs/3modules/ssl.nix
new file mode 100644
index 000000000..5d28ac841
--- /dev/null
+++ b/krebs/3modules/ssl.nix
@@ -0,0 +1,80 @@
+{ config, lib, pkgs, ... }: let
+ cfg = config.krebs.ssl;
+in {
+ options.krebs.ssl = {
+ rootCA = lib.mkOption {
+ type = lib.types.str;
+ readOnly = true;
+ default = ''
+ -----BEGIN CERTIFICATE-----
+ MIIC0jCCAjugAwIBAgIJAKeARo6lDD0YMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
+ VQQGEwJaWjESMBAGA1UECAwJc3RhdGVsZXNzMRAwDgYDVQQKDAdLcmVic2NvMQsw
+ CQYDVQQLDAJLTTEWMBQGA1UEAwwNS3JlYnMgUm9vdCBDQTEnMCUGCSqGSIb3DQEJ
+ ARYYcm9vdC1jYUBzeW50YXgtZmVobGVyLmRlMB4XDTE0MDYxMTA4NTMwNloXDTM5
+ MDIwMTA4NTMwNlowgYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3Mx
+ EDAOBgNVBAoMB0tyZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBS
+ b290IENBMScwJQYJKoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUw
+ gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMs/WNyeQziccllLqom7bfCjlh6/
+ /qx9p6UOqpw96YOOT3sh/mNSBLyNxIUJbWsU7dN5hT7HkR7GwzpfKDtudd9qiZeU
+ QNYQ+OL0HdOnApjdPqdspZfKxKTXyC1T1vJlaODsM1RBrjLK9RUcQZeNhgg3iM9B
+ HptOCrMI2fjCdZuVAgMBAAGjUDBOMB0GA1UdDgQWBBSKeq01+rAwp7yAXwzlwZBo
+ 3EGVLzAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGVLzAMBgNVHRMEBTAD
+ AQH/MA0GCSqGSIb3DQEBBQUAA4GBAIWIffZuQ43ddY2/ZnjAxPCRpM3AjoKIwEj9
+ GZuLJJ1sB9+/PAPmRrpmUniRkPLD4gtmolDVuoLDNAT9os7/v90yg5dOuga33Ese
+ 725musUbhEoQE1A1oVHrexBs2sQOplxHKsVXoYJp2/trQdqvaNaEKc3EeVnzFC63
+ 80WiO952
+ -----END CERTIFICATE-----
+ '';
+ };
+ intermediateCA = lib.mkOption {
+ type = lib.types.str;
+ readOnly = true;
+ default = ''
+ -----BEGIN CERTIFICATE-----
+ MIICWzCCAcSgAwIBAgIQVavHn7XtM7NJ8bnph6hGoTANBgkqhkiG9w0BAQsFADCB
+ gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl
+ YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq
+ hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMDgxNTU5
+ MDRaFw0yMTEyMDkxNTU5MDRaMBoxGDAWBgNVBAMTD0tyZWJzIEFDTUUgQ0EgMTBZ
+ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABDOK4g3pJPhOErk49zQgpNKE1cAyoeLp
+ PqWXkHZVLIVg8CBzPyCYiHS8RtaJ1kwWxwo5OTypCDOLxf1isR5HgZOjgYAwfjAO
+ BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUv758
+ A4RPewsRtgjdB6AE1tn632swHwYDVR0jBBgwFoAUinqtNfqwMKe8gF8M5cGQaNxB
+ lS8wGAYDVR0eAQH/BA4wDKAKMAOCAXIwA4IBdzANBgkqhkiG9w0BAQsFAAOBgQAT
+ ewOSGWGTCWcJFGSxgnt8/WspMERq1hL1PikwwVMp7wzJmbHcbA0Es4fcrE5Xf8vQ
+ dGenlvyQjkQNahbsyGBoja7bpWpnw9qofLQkns1AZWp7q7GBqyKm30keM/E/stjH
+ YkgY4QaxlIL+6N0f4nKL3RSf6GQ1hWJOHf+RrboaMw==
+ -----END CERTIFICATE-----
+ '';
+ };
+ acmeURL = lib.mkOption {
+ type = lib.types.str;
+ readOnly = true;
+ default = "https://ca.r/acme/acme/directory";
+ };
+ trustRoot = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ whether to trust the krebs root CA.
+ This implies that krebs can forge a certficate for every domain
+ '';
+ };
+ trustIntermediate = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ whether to trust the krebs ACME CA.
+ this only trusts the intermediate cert for .w and .r domains
+ '';
+ };
+ };
+ config = lib.mkMerge [
+ (lib.mkIf cfg.trustRoot {
+ security.pki.certificates = [ cfg.rootCA ];
+ })
+ (lib.mkIf cfg.trustIntermediate {
+ security.pki.certificates = [ cfg.intermediateCA ];
+ })
+ ];
+}