diff --git a/.sops.yaml b/.sops.yaml index 393840f..f004654 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -28,7 +28,12 @@ creation_rules: - age: - *admin_torjus - *server_ns3 - - path_regex: secrets/ca/[^/]+\.(yaml|json|env|ini) + - path_regex: secrets/ca/[^/]+\.(yaml|json|env|ini|) + key_groups: + - age: + - *admin_torjus + - *server_ca + - path_regex: secrets/ca/keys/.+ key_groups: - age: - *admin_torjus diff --git a/hosts/ca/default.nix b/hosts/ca/default.nix index 0167962..382bd43 100644 --- a/hosts/ca/default.nix +++ b/hosts/ca/default.nix @@ -2,5 +2,6 @@ { imports = [ ./configuration.nix + ../../services/ca ]; } diff --git a/secrets/ca/keys/intermediate_ca_key b/secrets/ca/keys/intermediate_ca_key new file mode 100644 index 0000000..aea53e6 --- /dev/null +++ b/secrets/ca/keys/intermediate_ca_key @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:S/dDpfZyvnGJ3mbDWS5rQZN1EwIQCQuj2WxKnMFirP/tYTsZTROte3KBE/k+7gwzDr6vayawbJr87zWv2ZV7iXiFZ6UK2wPD5Kj1HTY6D+0QtYrJ4Er0MrrFoxEAj+HRVhdXWwTchoC8Hio+8QOKFWW7mgyxh67UDRQJjAYaPoQ2ol19Zg/k5PSZZN9Qn+Bn9Hd5Hq0b2UBPXIWRbQ7u0JeyQXHY6dAzDoruhhrBcZIbX/PRghdAvIPQUo5LbCn5VrmnunktJnTgt9Dtv67ihTa1iBPdUjpkEV/FhDlDPrWAztBurv3IoZZ4hjAYbc/WeFlOkai83th7ggIJ3Njjrvh2JKdg6GDAerOUVtxmt2SECYZcih0ouNecRl/4UYlCi1QsBFJecJDcHh1zWDNiBGIBywkhfY7NUPBoWlfhBRL58JGsnPFthRT7lqF1MIuM2/q1dgCRaVJUsJ0c0WLbpFNUaLIE/TuaI33yVNlmV0yokCa/Q2fKHmkWCN9GkxkIDVxaB2KGusM8op5fDPaTr4kbnGklu+dqha1dZDfVw+GuFzUf5et/oOHZtpCUUwUk6O6IiwDyd6VRjxSYpyrBaNXrStsaUy0uIybCf/whUFiZ/cDuI72i8RGa4Ix/2zDcmdK77bMU3/dTFMh70gWXtHshrCsb043gmZzmkWlXYhPmFnPDX9AATRoEb5/ajfnUskajHN718MW/e5eYwRxBYDwjPCx8aQYr0f5UkNoBbgujsf3n/RsGYMxB7OZlFImnB+SN9hyqN1WsAykL693EqlXtK8+xrcWBnAVuiN3yxGFL1Gz4XlcBJiLjKWVkshuoqr/XdFuDXDs9eEHSpKg4lEOU4vP7hLMl/DhM1ncd/wENnrE0jxgNkX6HqbOQEaiJU6cBs+2M48UzEWDc/+AQpGBpOrd2gzo3o2behW4BQWzhyOZym2DxP+y97mQ8FUxfHW6BFeKTmohQb0wukPw5/ReJNysU+SLmMd8vuGGBHZeY6AMz9zMXE/v1p0+Y1lvCdelAGI1EA72wl7DmtlCCRMnXYdxMfAsH55tuD9+W4dDut67se5Oig3lDYrL/+ubtK8F4iFz7EcJdmIsykeLfK+PbNjPPd24ul0aJPKWgXKNtAtD0QJOuv/b3C/ie3D1hgjajv+X19midWyJGVDvYL/et3ZyypTYH7Q1yqyX6+cH//jZAtmCm5gUNpsFgTZJVzZ94P4iRl6WCgt9D7u8omNA7ov1qbawMxmLlSGq4QcPQXS3giXQItX1CGzJUDoh1v2g+8CWVOfejWerF/qawkNHPaO1Tq5OpDIqha3AGNRGXgqiJfCqD6wo84QKnOjS8Dt1VYaf0gZZmr0XhLfF7bkMxC/M/SmCdJV9Z1XDMMA9aVKVC5GPVJIyx56TZKD4VoliMrVS3u71lMit9XG4v/bqN07hmGJq+An2oBGGqDPJgzysqHvZ1ugmmNwSTAi3Sp5MiOGAx9veagzTnx1W5djb0G+KaSO6UFpgL1NAGHDTztCEPbFcgjHAG0SB+vWfV2go8IM4MLlRsDj1yZMIlvV1b6qAJPfbI070HjIDOfK+J5O7RedsMQlEAHFVSbJ4cX9/OmHs+4pfmu8ToaRkGWQzclyjajqX9p8AT4fHq7upaL3F8Vxry7rCDDlcyIFBL2bv/LAA7N3SgUjljUjf+miIgTy/VyK10HqW2eNlsxWmYXWptpymkqE4kIpCI+g0kPbslbqLFIFeY/7uRBqaoO+brFfXO2CYdfTbbCi16obG0Lov9ucntrfp8opbmZOgefOy9iB+z7Pw48n0PkfDkpXBxdwtFpEz5se/d8EYnZOSUfGqO47KRXeA9SGluCg7e9Z1wiXLjo5JHYqlliscmlVedeRpNevpnWx/z5sV1z7/4WtV7PEjuw5bhE6m/O6LaHtYX7kY8XjvRrr1pfcpTd/knFLK2ClFdGZvnYFdQCKEEqTINO+1x3C8CDF0c0YIPXUiWNubZMNSOJ+uZu7bnhacJMOAowylUwA2nQZn5dkVjw1Zf25pPzvzBA5m+6bTd32+kAd2KeGQqbmXfQN+Iez7tC/DZJ0Yi1lvoUntG7dqA+soIx8I1GjPlCiEtxUao7RR0dwOobmq9gGvu70qmSgnSV9Z+SA5ZnCuBIWjLA0WMuOxwUpv6gKzvNqyPYhAmks7Z4lUAreAvMcuvBmAd4/RhXZkJ6fQWc/eHTkdXLAzfppvl2cNhkfOcOsZaBD70mcISeYK6j2Ug88Bs4eybFUNXs50NpwOab5FsZJfzQEVh5tVzuE2tSGIZphy0DSARWJEzX8DIfFaSqd8gSeoy+Q6MgtzZSKg9VauuEZ92bezMoEYeMSGn7lZbiGgtM3S0oGel9lzCP6L00u+CpEDKm+toGtDGDKKCdMVETyRIA9/gktvszwVDmPmO01tiemyCS67hzN3MmcwzcT2POxxmhFqprA0GPyCK4yzo+xNJxD1riShRbeaVIb80gjyzoaEC02OXTuTbp+LpBeZ+JuLQapF+V9VwTz2qedsyA1ZU9L/qybfNjPmodzSZnARS9UJw6EecdMVjumAKnONqv5IJ7TFdIyNd5oT1X1mD3AP2ujQpYiTdnbpTukQZr6BMnmLPEH3ySg40y/pl04VmdqSKGMUI69qdlkDsD+K/jUYyQ3BqyVev9ZJEsbZSHh0oBpYEcYWlo+ugxhlig1Ou+J5a/J7R1/6yQlnKtjI1WNxI4uSUib/78GXPCA==,iv:VHGFl9flRW4qYxEzqVmRKLDVTeZNEeW6E2OnqB3rB3g=,tag:8PnIUH9vOlbJINDPU+pulw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMUhCOUVVTVpTUk1Pdkly\nK0pINEdVaEo1NFF1YnFPT1l5RE5JcTZieTNjClNxL2laTUdMU1M3bjc5OFE3ZVh4\nN1cwUmlpbXhiM2tlak5ZN1ZxV1FjMjQKLS0tIDA4UmlrSStGKzVsVFlZL2g0cnQr\nWWh4Z1lRRWtJR0Rudmhobjh0bWxuaHcKbGpnkqhKtjCjhtjKi5wl+0tFCEt//FkP\nfLBTUimlLTTINh/29fhd/5P+lgwKXCYTG7GZVY5zLVlhy9eR9fkS8w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYityQThnWGF3REpUSjhR\nbGMzaTkxaTVwVFJoZlFyUitYMTZFVnc1ZUQ0Cmh3bzdhcitWMXF3Z2t6SjF2Rzlk\nK0xvMGsxa0RBdzV0TzBUM0FMMlozeW8KLS0tIDdOb0JYNEVuT3hEakpIYmRpQlBO\nbFM5b0RDbEhDYTlFNG4wMnZqM2hIcWMKrpZjbcjJ5PE52/5CoYBsDUngYEOVvrAB\nQ1BI/fgs4U6YHApUbLGJT2GGy+JXvBKc8bqc8YxLFhONqT3RKzCHJg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-10-21T09:28:49Z", + "mac": "ENC[AES256_GCM,data:0YA9KHUFsh3zERG8kbr8TbklTib9aOdrzdlk5aPZ8UyFkbmP0HKk+lXPQ3RwRVbhMmK3VhGU0IxA0J/QUw7SQu22zSBkl1DF5PzqoKkNgt9T5hZJI2HqWRE3/38/5AU6L5mX7ul28Y47L3lcgr4PNLxlg5qyvxUKoM9riw474I0=,iv:G40/HLd1ftXclEcX8FMQjoce91o83dA2KWeO6VaIqLQ=,tag:7KU2Rz89AiggOuumKNfSjg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/secrets/ca/keys/root_ca_key b/secrets/ca/keys/root_ca_key new file mode 100644 index 0000000..81a3fa6 --- /dev/null +++ b/secrets/ca/keys/root_ca_key @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:OTpEO78zXv66cH1oKwqmFzNPnnkTH3I66J3emqzYEFtii7EJ3d9POquapJhSRWGZs3kvQevFbMTsdtIvWrrwGNcbmBlSLeNOKrOWjXix1uemsBsA4tt79L7dms9tFMXm7nBqy71wo0MsYjzXEYBTy7n91IIKwkg4o+n9MCQivDXVN3rAy8o25HjuS8fSJRRTuQ92Nnc7WjIbPQbyqHPBlp7hxO9xC6/JdOWZ3Zo/X6AyZuzcoF6Nd5A08hImPtbNZ1/MiBurdLSqGkYx9m5KsGmFKinRqWwYWnsQidXl+2xQcqCZNvdCNMe1OwybAxAEiQDksCTpYOQISIzCsXoT3Wfr4ZpZAlLCzw+ga7nnvF2CPiUeRWXyB655vg0vXgqUHYIaN3l1A1P8OWHRDz/tPd7pWbwAj4BZvDY=,iv:oI+1jK2+4vCW67PbM9VxoViBqUOh9BYP8xZHCaAJloQ=,tag:QX/nFv4NB4ERCP5zB8Mqdw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVHE5aUNjS3F5VFYzMW1j\nbGJkK0VPRmJ2Nk1HSnNXUk1rK0tzaHMzcFZBCjRzTkVZT3hsakRsTHJPSXpGNHdw\nODNTWGhNZWhhdHplYUpBVFp4eE0zLzAKLS0tIGJ4RDkyZ1hTYTBnUHlxRWR6bEpZ\najBvNjdsK3NieEhoVkZkL3ZJWWRxK2MKKKmoz+U/TIAeE1nJop0FtxoOfAR2iP/Y\n5cdTsbXUgDSVginxJbnDaEM9v+OYJXO6ugQNBnkAaHbWn4ADnA8UCA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdW1ZQkxUaFdtekR5eGh5\nYWdTbWVtemtteFIwNlZVVSthZElnZUp4QjN3ClFsOW9rZVhZckZ5MWdiTjNQbFN4\nNHZaSVEvR085b093dlM3SHl6c01yVWcKLS0tIE10L3lZZDVkQ2I5TEduYkU3V21a\nZ0k5cTcvYmdJMU5QUDV3QWtuYkRUWHcKNgfl9S2V7kuobwgc0mMR+O/quq06y+5q\ncipmOM7DIkyFDq5Cl0e//MZywoOfBTsYlCncA6Hb4hW+Y2Tn+/C4tA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-10-21T09:28:49Z", + "mac": "ENC[AES256_GCM,data:UAJ61bLXP9j7/uyppVMvvRLhO12XQXhCLEtfqdeOi7STUqTaCu1NsbNxf+ErA5eVn2DjGMJuyNvxamD1rxzc+VjELOit1pY9Wg4f15nRyryTt9r+iUrYttcwvUXq2knw8bDtJOqz/nYvg4R1qyXwjdSHLrKn6LmKsO0KwTB1nAQ=,iv:jHSYSYfuow0cM8ECzbQ2jM4J3Q5MQTBQ80u/eglfU9g=,tag:tQxMsKppD8xOcGKcBFXm2Q==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/secrets/ca/keys/ssh_host_ca_key b/secrets/ca/keys/ssh_host_ca_key new file mode 100644 index 0000000..abab10e --- /dev/null +++ b/secrets/ca/keys/ssh_host_ca_key @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:1ntjhGcHOtOcYBsEskgm/pBmQh2xVu0owTmPgfIzKimrSGS3XG0YUGztakb1jW3IgjRs1hssQpJKxkabSuPVNg4q1Nw7tX3aEfH2K6f2xnV3a7bp8yS30O9+7gDMB6wcTodMfou3Ypm3l2v6YXtVbh/4Gq/7FNUlHxa2wPux4pqoDyMjV1zjJT1exFl1JkUPzzT+02gGSEFacC47I7t85XfPxmn1hdpvpUlGA9CMHrQqTXf4moxePMyLK1oAgXtGLGXpQXl/RWiqNQMEmmBXfynjby6ojq/+psgGgbt89BI5Gi7tb131WXeg/xQSZeGkfbjWyl6/fy60GGPJ004VY0RKN8pB6/duggwWZPa/oEN1V8/DVNcTaq2YKrD4GBoPqeDegnRgMubeyb+talqegEr9AHAhdLtEKio=,iv:eb1VwHeESCREOv4lftxMIDjSFxCiagm0HRzzCURDgMw=,tag:6YhDt3kR+rs+fE14W5Sk5A==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYzB4UGJwZmFmdXEzT0Vy\nV2ZkMzk5UXd4S1RKeUJmNTNGbHhvUnkzY3cwCkNMQS83dTFQaWJ5YzIwYXZNM0FB\ncTBLWVlWMXJNSlRjRUhDSEV1NFRLQ3MKLS0tIGlkRlZYZ0R6dXJORVBpMkpWWE1l\nWlprQ3kwcXkzMUdVWXpidmgxby9wRVEK3ItRAZMfAtOzjN5r7GHU8KT1upW+xvIA\nqXxIXZBdkkxKOJWQXn5i/xC8YoNek4fdqGeWUGOF9FguU5Zj2tO+ZA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZ2JPWmIxSXg4YnNwMnNw\nMUJSTWlHWDFoNU9ZcmdPb0VBUHQ3SU5qcENnCmhRWkhKWUwxeEh2VDZxUFdrMExa\nWTdLVVV5NHJMTE51ZEhPRHdaSTRTRkEKLS0tIHJ1Z0NibWQ5SitUekhKOXVGd3FH\nQ3dKNE16bnJNczhtRHBCcUxNajZRUWcKhnvYPFTkw73QPs7qDA7C3cX8RPF68sTk\n2MQORHyqN1jyBUVtvezeejL89Mdw1wghh0Q+VXW9b1ozXkFsH7IcXg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-10-21T09:28:49Z", + "mac": "ENC[AES256_GCM,data:xB5qV2aFpvTJxCbOgTaaErBez+pkSz1KEWw0c+NoglcjPkGNx+0MuoSjeuPJ0KiHcS/gol2vo+mmVEEcDSVa/S/ksI/sIqcWoQeZ+XNBcffF+5UPfsyRFBNRJwWsg88ERVwgYjKauCV5MZBvJYf/uL3uUa8chHZNFF+f3QVq464=,iv:R0Gh5SITWXGphccBfI+DbNdnBeC98qDforE1Ffb805M=,tag:L2jqUwSlv1ngPiMQith9Mw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/secrets/ca/keys/ssh_user_ca_key b/secrets/ca/keys/ssh_user_ca_key new file mode 100644 index 0000000..964919a --- /dev/null +++ b/secrets/ca/keys/ssh_user_ca_key @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:v+ugz+pjgkY2IqW+wNM09Z7OYJoxaPxPwf/THyt+Q3N1SswU6Q3AhzqGoIeMAa+8tIRMdQ++HBsnDtCPZYHV0vNQ7GWE1w1jQ7FHa7hXaWLnqfuKbr5x5bnPzDZYxCt41a8A0fxbrN1ysBE1cMgbHe1tnBWKl1D4tay5RtMoua+vYxS1gwzZSIHY3Tq7GJkyBuJqOZA2oyDgZ9ETTwXwNaDZx35uxi9XbEBHdwIscWGFW50s1NXKavgdmeEEWyOlnIlBm4yhjnLIBW3HjSPWBsCp36+m1VUq/TwK+AH0q3sqovVFXwjduRI59RnJoZ6gMJHYFpXHUfnKZbkC8GVzczUGyLSPD9xhxrSYxGjT1T0pbQsXCls6TugVNOVsRMIN5P05uEo5URBlMkIZisnzqdgBw3gR/roboi4=,iv:NV9jvDY5teQaACPn84G/izLd4CXkZNPGGNRQG3xvw2Q=,tag:qCV+lsrYAgDbi2nMx3HmGg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNExxOGViUUMwaGpjYld0\ncUdTVnA0QmlPT2kxNjRjbmw0SFhyS284ajJrCnFGK2ZqR2JpTEYwdHdPZ245SkV1\nSjVzMFMvbWNma0RnbTd3ZEpTd0F2THcKLS0tICtITFJGNmhjbStMc29XaDV0dElm\nRTN2QkJhamw4RHo5bXgzSHd5TDNLUFkKJtO9aMmFE43hxRsSa0lnqGo8FVzKxysJ\nOgJMTIftSU7bEvsEok+HlBgX1kyj8v9rgzXLwTrGk42+kVw4Fm2Xkw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLenZoS0phekRTSW5aN3Jw\nZFJsNHJRSnR3dXBiMG5aQ2lyS0Y0Sm1nTEJVCjJ5cUJMSDk4NzBCdnNLd05rSnRi\nSEdnaGl1S1hKbFFwZjluUEkzUmR3MTAKLS0tIG9PMng3MFlUOE1wUXJ2S1cxRllx\nTi9nUm5nVWRXdk9hdWFCc1o2bHNObVEKrz7ROqTXaINk5LNpG4ibLqjCoPH0fzO3\nUgZp5PUC1+VPxYymqstK3kV5WorM2GVVfWcjLv2eofKdgpO90iKp/g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-10-21T09:28:49Z", + "mac": "ENC[AES256_GCM,data:huZ3fDBV8bOtHW2eNxgTc9e5RmAIsvRhMFGwlVGbpDvftJKNy57CqMal/W0E0pqmvltaGMHGh/f8yzakpYphhbs1/Kro4u34QMu/jV6QvKEyDHtyAGYy6DzjCDRu216DV8uHpDaKoz+7zhjwlPSd60RlXUpfhis+DC8lmdktI2A=,iv:hCUwgkm6fCdWrAqszwzRBh5W7Z/0LXvl1dGiteJkkL0=,tag:0uDeZoG5TCc80Kzgl5U2TA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/services/ca/ca.json b/services/ca/ca.json new file mode 100644 index 0000000..677970c --- /dev/null +++ b/services/ca/ca.json @@ -0,0 +1,118 @@ +{ + "root": "/var/lib/step-ca/certs/root_ca.crt", + "federatedRoots": null, + "crt": "/var/lib/step-ca/certs/intermediate_ca.crt", + "key": "/var/lib/step-ca/secrets/intermediate_ca_key", + "address": ":443", + "insecureAddress": "", + "dnsNames": [ + "10.69.13.12" + ], + "ssh": { + "hostKey": "/var/lib/step-ca/secrets/ssh_host_ca_key", + "userKey": "/var/lib/step-ca/secrets/ssh_user_ca_key" + }, + "logger": { + "format": "text" + }, + "db": { + "type": "badgerv2", + "dataSource": "/var/lib/step-ca/db", + "badgerFileLoadingMode": "" + }, + "authority": { + "provisioners": [ + { + "type": "JWK", + "name": "ca@home.2rjus.net", + "key": { + "use": "sig", + "kty": "EC", + "kid": "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE", + "crv": "P-256", + "alg": "ES256", + "x": "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo", + "y": "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0" + }, + "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g", + "claims": { + "enableSSHCA": true + } + }, + { + "type": "ACME", + "name": "acme" + }, + { + "type": "SSHPOP", + "name": "sshpop", + "claims": { + "enableSSHCA": true + } + } + ] + }, + "tls": { + "cipherSuites": [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ], + "minVersion": 1.2, + "maxVersion": 1.3, + "renegotiation": false + }, + "templates": { + "ssh": { + "user": [ + { + "name": "config.tpl", + "type": "snippet", + "template": "templates/ssh/config.tpl", + "path": "~/.ssh/config", + "comment": "#" + }, + { + "name": "step_includes.tpl", + "type": "prepend-line", + "template": "templates/ssh/step_includes.tpl", + "path": "${STEPPATH}/ssh/includes", + "comment": "#" + }, + { + "name": "step_config.tpl", + "type": "file", + "template": "templates/ssh/step_config.tpl", + "path": "ssh/config", + "comment": "#" + }, + { + "name": "known_hosts.tpl", + "type": "file", + "template": "templates/ssh/known_hosts.tpl", + "path": "ssh/known_hosts", + "comment": "#" + } + ], + "host": [ + { + "name": "sshd_config.tpl", + "type": "snippet", + "template": "templates/ssh/sshd_config.tpl", + "path": "/etc/ssh/sshd_config", + "comment": "#", + "requires": [ + "Certificate", + "Key" + ] + }, + { + "name": "ca.tpl", + "type": "snippet", + "template": "templates/ssh/ca.tpl", + "path": "/etc/ssh/ca.pub", + "comment": "#" + } + ] + } + } +} diff --git a/services/ca/default.nix b/services/ca/default.nix new file mode 100644 index 0000000..f670bfe --- /dev/null +++ b/services/ca/default.nix @@ -0,0 +1,33 @@ +{ pkgs, unstable, ... }: +{ + sops.secrets."ca_root_pw" = { + sopsFile = ../../secrets/ca/secrets.yaml; + path = "/var/lib/step-ca/secrets/ca_root_pw"; + }; + sops.secrets."intermediate_ca_key" = { + sopsFile = ../../secrets/ca/keys/intermediate_ca_key; + format = "binary"; + path = "/var/lib/step-ca/secrets/intermediate_ca_key"; + }; + sops.secrets."root_ca_key" = { + sopsFile = ../../secrets/ca/keys/root_ca_key; + format = "binary"; + path = "/var/lib/step-ca/secrets/root_ca_key"; + }; + sops.secrets."ssh_host_ca_key" = { + sopsFile = ../../secrets/ca/keys/ssh_host_ca_key; + format = "binary"; + path = "/var/lib/step-ca/secrets/ssh_host_ca_key"; + }; + sops.secrets."ssh_user_ca_key" = { + sopsFile = ../../secrets/ca/keys/ssh_user_ca_key; + format = "binary"; + path = "/var/lib/step-ca/secrets/ssh_user_ca_key"; + }; + + #services.step-ca = { + # enable = true; + # package = unstable.step-ca; + # settings = builtins.fromJSON ./ca.json; + #}; +}