nixos-servers/services/ca/default.nix

{ pkgs, unstable, ... }:
{
  sops.secrets."ca_root_pw" = {
    sopsFile = ../../secrets/ca/secrets.yaml;
    owner = "step-ca";
    path = "/var/lib/step-ca/secrets/ca_root_pw";
  };
  sops.secrets."intermediate_ca_key" = {
    sopsFile = ../../secrets/ca/keys/intermediate_ca_key;
    format = "binary";
    owner = "step-ca";
    path = "/var/lib/step-ca/secrets/intermediate_ca_key";
  };
  sops.secrets."root_ca_key" = {
    sopsFile = ../../secrets/ca/keys/root_ca_key;
    format = "binary";
    owner = "step-ca";
    path = "/var/lib/step-ca/secrets/root_ca_key";
  };
  sops.secrets."ssh_host_ca_key" = {
    sopsFile = ../../secrets/ca/keys/ssh_host_ca_key;
    format = "binary";
    owner = "step-ca";
    path = "/var/lib/step-ca/secrets/ssh_host_ca_key";
  };
  sops.secrets."ssh_user_ca_key" = {
    sopsFile = ../../secrets/ca/keys/ssh_user_ca_key;
    format = "binary";
    owner = "step-ca";
    path = "/var/lib/step-ca/secrets/ssh_user_ca_key";
  };

  services.step-ca = {
    enable = true;
    package = pkgs.step-ca;
    intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw";
    address = "0.0.0.0";
    port = 443;
    settings = {
      authority = {
        provisioners = [
          {
            claims = {
              enableSSHCA = true;
            };
            encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g";
            key = {
              alg = "ES256";
              crv = "P-256";
              kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE";
              kty = "EC";
              use = "sig";
              x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo";
              y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0";
            };
            name = "ca@home.2rjus.net";
            type = "JWK";
          }
          {
            name = "acme";
            type = "ACME";
          }
          {
            claims = {
              enableSSHCA = true;
            };
            name = "sshpop";
            type = "SSHPOP";
          }
        ];
      };
      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
      db = {
        badgerFileLoadingMode = "";
        dataSource = "/var/lib/step-ca/db";
        type = "badgerv2";
      };
      dnsNames = [
        "ca.home.2rjus.net"
        "10.69.13.12"
      ];
      federatedRoots = null;
      insecureAddress = "";
      key = "/var/lib/step-ca/secrets/intermediate_ca_key";
      logger = {
        format = "text";
      };
      root = "/var/lib/step-ca/certs/root_ca.crt";
      ssh = {
        hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key";
        userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key";
      };
      templates = {
        ssh = {
          host = [
            {
              comment = "#";
              name = "sshd_config.tpl";
              path = "/etc/ssh/sshd_config";
              requires = [
                "Certificate"
                "Key"
              ];
              template = ./templates/ssh/sshd_config.tpl;
              type = "snippet";
            }
            {
              comment = "#";
              name = "ca.tpl";
              path = "/etc/ssh/ca.pub";
              template = ./templates/ssh/ca.tpl;
              type = "snippet";
            }
          ];
          user = [
            {
              comment = "#";
              name = "config.tpl";
              path = "~/.ssh/config";
              template = ./templates/ssh/config.tpl;
              type = "snippet";
            }
            {
              comment = "#";
              name = "step_includes.tpl";
              path = "\${STEPPATH}/ssh/includes";
              template = ./templates/ssh/step_includes.tpl;
              type = "prepend-line";
            }
            {
              comment = "#";
              name = "step_config.tpl";
              path = "ssh/config";
              template = ./templates/ssh/step_config.tpl;
              type = "file";
            }
            {
              comment = "#";
              name = "known_hosts.tpl";
              path = "ssh/known_hosts";
              template = ./templates/ssh/known_hosts.tpl;
              type = "file";
            }
          ];
        };
      };
      tls = {
        cipherSuites = [
          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        ];
        maxVersion = 1.3;
        minVersion = 1.2;
        renegotiation = false;
      };
    };
  };
}
Add secrets to ca 2024-10-21 10:02:10 +00:00			`{ pkgs, unstable, ... }:`
			`{`
			`sops.secrets."ca_root_pw" = {`
			`sopsFile = ../../secrets/ca/secrets.yaml;`
Update ca host config 2024-11-30 13:27:58 +00:00			`owner = "step-ca";`
Add secrets to ca 2024-10-21 10:02:10 +00:00			`path = "/var/lib/step-ca/secrets/ca_root_pw";`
			`};`
			`sops.secrets."intermediate_ca_key" = {`
			`sopsFile = ../../secrets/ca/keys/intermediate_ca_key;`
			`format = "binary";`
Update ca host config 2024-11-30 13:27:58 +00:00			`owner = "step-ca";`
Add secrets to ca 2024-10-21 10:02:10 +00:00			`path = "/var/lib/step-ca/secrets/intermediate_ca_key";`
			`};`
			`sops.secrets."root_ca_key" = {`
			`sopsFile = ../../secrets/ca/keys/root_ca_key;`
			`format = "binary";`
Update ca host config 2024-11-30 13:27:58 +00:00			`owner = "step-ca";`
Add secrets to ca 2024-10-21 10:02:10 +00:00			`path = "/var/lib/step-ca/secrets/root_ca_key";`
			`};`
			`sops.secrets."ssh_host_ca_key" = {`
			`sopsFile = ../../secrets/ca/keys/ssh_host_ca_key;`
			`format = "binary";`
Update ca host config 2024-11-30 13:27:58 +00:00			`owner = "step-ca";`
Add secrets to ca 2024-10-21 10:02:10 +00:00			`path = "/var/lib/step-ca/secrets/ssh_host_ca_key";`
			`};`
			`sops.secrets."ssh_user_ca_key" = {`
			`sopsFile = ../../secrets/ca/keys/ssh_user_ca_key;`
			`format = "binary";`
Update ca host config 2024-11-30 13:27:58 +00:00			`owner = "step-ca";`
Add secrets to ca 2024-10-21 10:02:10 +00:00			`path = "/var/lib/step-ca/secrets/ssh_user_ca_key";`
			`};`

Update ca host config 2024-11-30 13:27:58 +00:00			`services.step-ca = {`
			`enable = true;`
			`package = pkgs.step-ca;`
			`intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw";`
			`address = "0.0.0.0";`
			`port = 443;`
			`settings = {`
			`authority = {`
			`provisioners = [`
			`{`
			`claims = {`
			`enableSSHCA = true;`
			`};`
			encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g";
			`key = {`
			`alg = "ES256";`
			`crv = "P-256";`
			`kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE";`
			`kty = "EC";`
			`use = "sig";`
			`x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo";`
			`y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0";`
			`};`
			`name = "ca@home.2rjus.net";`
			`type = "JWK";`
			`}`
			`{`
			`name = "acme";`
			`type = "ACME";`
			`}`
			`{`
			`claims = {`
			`enableSSHCA = true;`
			`};`
			`name = "sshpop";`
			`type = "SSHPOP";`
			`}`
			`];`
			`};`
			`crt = "/var/lib/step-ca/certs/intermediate_ca.crt";`
			`db = {`
			`badgerFileLoadingMode = "";`
			`dataSource = "/var/lib/step-ca/db";`
			`type = "badgerv2";`
			`};`
			`dnsNames = [`
			`"ca.home.2rjus.net"`
			`"10.69.13.12"`
			`];`
			`federatedRoots = null;`
			`insecureAddress = "";`
			`key = "/var/lib/step-ca/secrets/intermediate_ca_key";`
			`logger = {`
			`format = "text";`
			`};`
			`root = "/var/lib/step-ca/certs/root_ca.crt";`
			`ssh = {`
			`hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key";`
			`userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key";`
			`};`
			`templates = {`
			`ssh = {`
			`host = [`
			`{`
			`comment = "#";`
			`name = "sshd_config.tpl";`
			`path = "/etc/ssh/sshd_config";`
			`requires = [`
			`"Certificate"`
			`"Key"`
			`];`
			`template = ./templates/ssh/sshd_config.tpl;`
			`type = "snippet";`
			`}`
			`{`
			`comment = "#";`
			`name = "ca.tpl";`
			`path = "/etc/ssh/ca.pub";`
			`template = ./templates/ssh/ca.tpl;`
			`type = "snippet";`
			`}`
			`];`
			`user = [`
			`{`
			`comment = "#";`
			`name = "config.tpl";`
			`path = "~/.ssh/config";`
			`template = ./templates/ssh/config.tpl;`
			`type = "snippet";`
			`}`
			`{`
			`comment = "#";`
			`name = "step_includes.tpl";`
			`path = "\${STEPPATH}/ssh/includes";`
			`template = ./templates/ssh/step_includes.tpl;`
			`type = "prepend-line";`
			`}`
			`{`
			`comment = "#";`
			`name = "step_config.tpl";`
			`path = "ssh/config";`
			`template = ./templates/ssh/step_config.tpl;`
			`type = "file";`
			`}`
			`{`
			`comment = "#";`
			`name = "known_hosts.tpl";`
			`path = "ssh/known_hosts";`
			`template = ./templates/ssh/known_hosts.tpl;`
			`type = "file";`
			`}`
			`];`
			`};`
			`};`
			`tls = {`
			`cipherSuites = [`
			`"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"`
			`"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"`
			`];`
			`maxVersion = 1.3;`
			`minVersion = 1.2;`
			`renegotiation = false;`
			`};`
			`};`
			`};`
Add secrets to ca 2024-10-21 10:02:10 +00:00			`}`