Update ca host config
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
This commit is contained in:
@@ -2,32 +2,157 @@
|
||||
{
|
||||
sops.secrets."ca_root_pw" = {
|
||||
sopsFile = ../../secrets/ca/secrets.yaml;
|
||||
owner = "step-ca";
|
||||
path = "/var/lib/step-ca/secrets/ca_root_pw";
|
||||
};
|
||||
sops.secrets."intermediate_ca_key" = {
|
||||
sopsFile = ../../secrets/ca/keys/intermediate_ca_key;
|
||||
format = "binary";
|
||||
owner = "step-ca";
|
||||
path = "/var/lib/step-ca/secrets/intermediate_ca_key";
|
||||
};
|
||||
sops.secrets."root_ca_key" = {
|
||||
sopsFile = ../../secrets/ca/keys/root_ca_key;
|
||||
format = "binary";
|
||||
owner = "step-ca";
|
||||
path = "/var/lib/step-ca/secrets/root_ca_key";
|
||||
};
|
||||
sops.secrets."ssh_host_ca_key" = {
|
||||
sopsFile = ../../secrets/ca/keys/ssh_host_ca_key;
|
||||
format = "binary";
|
||||
owner = "step-ca";
|
||||
path = "/var/lib/step-ca/secrets/ssh_host_ca_key";
|
||||
};
|
||||
sops.secrets."ssh_user_ca_key" = {
|
||||
sopsFile = ../../secrets/ca/keys/ssh_user_ca_key;
|
||||
format = "binary";
|
||||
owner = "step-ca";
|
||||
path = "/var/lib/step-ca/secrets/ssh_user_ca_key";
|
||||
};
|
||||
|
||||
#services.step-ca = {
|
||||
# enable = true;
|
||||
# package = unstable.step-ca;
|
||||
# settings = builtins.fromJSON ./ca.json;
|
||||
#};
|
||||
services.step-ca = {
|
||||
enable = true;
|
||||
package = pkgs.step-ca;
|
||||
intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw";
|
||||
address = "0.0.0.0";
|
||||
port = 443;
|
||||
settings = {
|
||||
authority = {
|
||||
provisioners = [
|
||||
{
|
||||
claims = {
|
||||
enableSSHCA = true;
|
||||
};
|
||||
encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g";
|
||||
key = {
|
||||
alg = "ES256";
|
||||
crv = "P-256";
|
||||
kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE";
|
||||
kty = "EC";
|
||||
use = "sig";
|
||||
x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo";
|
||||
y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0";
|
||||
};
|
||||
name = "ca@home.2rjus.net";
|
||||
type = "JWK";
|
||||
}
|
||||
{
|
||||
name = "acme";
|
||||
type = "ACME";
|
||||
}
|
||||
{
|
||||
claims = {
|
||||
enableSSHCA = true;
|
||||
};
|
||||
name = "sshpop";
|
||||
type = "SSHPOP";
|
||||
}
|
||||
];
|
||||
};
|
||||
crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
|
||||
db = {
|
||||
badgerFileLoadingMode = "";
|
||||
dataSource = "/var/lib/step-ca/db";
|
||||
type = "badgerv2";
|
||||
};
|
||||
dnsNames = [
|
||||
"ca.home.2rjus.net"
|
||||
"10.69.13.12"
|
||||
];
|
||||
federatedRoots = null;
|
||||
insecureAddress = "";
|
||||
key = "/var/lib/step-ca/secrets/intermediate_ca_key";
|
||||
logger = {
|
||||
format = "text";
|
||||
};
|
||||
root = "/var/lib/step-ca/certs/root_ca.crt";
|
||||
ssh = {
|
||||
hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key";
|
||||
userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key";
|
||||
};
|
||||
templates = {
|
||||
ssh = {
|
||||
host = [
|
||||
{
|
||||
comment = "#";
|
||||
name = "sshd_config.tpl";
|
||||
path = "/etc/ssh/sshd_config";
|
||||
requires = [
|
||||
"Certificate"
|
||||
"Key"
|
||||
];
|
||||
template = ./templates/ssh/sshd_config.tpl;
|
||||
type = "snippet";
|
||||
}
|
||||
{
|
||||
comment = "#";
|
||||
name = "ca.tpl";
|
||||
path = "/etc/ssh/ca.pub";
|
||||
template = ./templates/ssh/ca.tpl;
|
||||
type = "snippet";
|
||||
}
|
||||
];
|
||||
user = [
|
||||
{
|
||||
comment = "#";
|
||||
name = "config.tpl";
|
||||
path = "~/.ssh/config";
|
||||
template = ./templates/ssh/config.tpl;
|
||||
type = "snippet";
|
||||
}
|
||||
{
|
||||
comment = "#";
|
||||
name = "step_includes.tpl";
|
||||
path = "\${STEPPATH}/ssh/includes";
|
||||
template = ./templates/ssh/step_includes.tpl;
|
||||
type = "prepend-line";
|
||||
}
|
||||
{
|
||||
comment = "#";
|
||||
name = "step_config.tpl";
|
||||
path = "ssh/config";
|
||||
template = ./templates/ssh/step_config.tpl;
|
||||
type = "file";
|
||||
}
|
||||
{
|
||||
comment = "#";
|
||||
name = "known_hosts.tpl";
|
||||
path = "ssh/known_hosts";
|
||||
template = ./templates/ssh/known_hosts.tpl;
|
||||
type = "file";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
tls = {
|
||||
cipherSuites = [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||
];
|
||||
maxVersion = 1.3;
|
||||
minVersion = 1.2;
|
||||
renegotiation = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user