blob: 056aa7ae4ee5048a1780af11455b275c30070d67 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
# generate intermediate certificate with generate-krebs-intermediate-ca
{ config, lib, pkgs, ... }: let
domain = "ca.r";
in {
security.acme = {
acceptTerms = true; # kinda pointless since we never use upstream
email = "spam@krebsco.de";
certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts.${domain} = {
addSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "https://localhost:1443";
};
locations."= /ca.crt".alias = ../6assets/krebsAcmeCA.crt;
};
};
krebs.secret.files.krebsAcme = {
path = "/var/lib/step-ca/intermediate_ca.key";
owner.name = "root";
mode = "1444";
source-path = builtins.toString <secrets> + "/acme_ca.key";
};
services.step-ca = {
enable = true;
intermediatePasswordFile = "/dev/null";
address = "0.0.0.0";
port = 1443;
settings = {
root = pkgs.writeText "root.crt" config.krebs.ssl.rootCA;
crt = pkgs.writeText "intermediate.crt" config.krebs.ssl.intermediateCA;
key = "/var/lib/step-ca/intermediate_ca.key";
dnsNames = [ domain ];
logger.format = "text";
db = {
type = "badger";
dataSource = "/var/lib/step-ca/db";
};
authority = {
provisioners = [{
type = "ACME";
name = "acme";
forceCN = true;
}];
claims = {
maxTLSCertDuration = "2160h";
defaultTLSCertDuration = "2160h";
};
backdate = "1m0s";
};
tls = {
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
];
minVersion = 1.2;
maxVersion = 1.3;
renegotiation = false;
};
};
};
}
|