hosts: decommission ca host and remove labmon
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Remove the step-ca host and labmon flake input now that ACME has been migrated to OpenBao PKI. Removed: - hosts/ca/ - step-ca host configuration - services/ca/ - step-ca service module - labmon flake input and module (no longer used) Updated: - flake.nix - removed ca host and labmon references - flake.lock - removed labmon input - rebuild-all.sh - removed ca from host list - CLAUDE.md - updated documentation Note: secrets/ca/ should be manually removed by the user. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -1,169 +0,0 @@
|
||||
{ pkgs, unstable, ... }:
|
||||
{
|
||||
homelab.monitoring.scrapeTargets = [{
|
||||
job_name = "step-ca";
|
||||
port = 9000;
|
||||
}];
|
||||
sops.secrets."ca_root_pw" = {
|
||||
sopsFile = ../../secrets/ca/secrets.yaml;
|
||||
owner = "step-ca";
|
||||
path = "/var/lib/step-ca/secrets/ca_root_pw";
|
||||
};
|
||||
sops.secrets."intermediate_ca_key" = {
|
||||
sopsFile = ../../secrets/ca/keys/intermediate_ca_key;
|
||||
format = "binary";
|
||||
owner = "step-ca";
|
||||
path = "/var/lib/step-ca/secrets/intermediate_ca_key";
|
||||
};
|
||||
sops.secrets."root_ca_key" = {
|
||||
sopsFile = ../../secrets/ca/keys/root_ca_key;
|
||||
format = "binary";
|
||||
owner = "step-ca";
|
||||
path = "/var/lib/step-ca/secrets/root_ca_key";
|
||||
};
|
||||
sops.secrets."ssh_host_ca_key" = {
|
||||
sopsFile = ../../secrets/ca/keys/ssh_host_ca_key;
|
||||
format = "binary";
|
||||
owner = "step-ca";
|
||||
path = "/var/lib/step-ca/secrets/ssh_host_ca_key";
|
||||
};
|
||||
sops.secrets."ssh_user_ca_key" = {
|
||||
sopsFile = ../../secrets/ca/keys/ssh_user_ca_key;
|
||||
format = "binary";
|
||||
owner = "step-ca";
|
||||
path = "/var/lib/step-ca/secrets/ssh_user_ca_key";
|
||||
};
|
||||
|
||||
services.step-ca = {
|
||||
enable = true;
|
||||
package = pkgs.step-ca;
|
||||
intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw";
|
||||
address = "0.0.0.0";
|
||||
port = 443;
|
||||
settings = {
|
||||
metricsAddress = ":9000";
|
||||
authority = {
|
||||
provisioners = [
|
||||
{
|
||||
claims = {
|
||||
enableSSHCA = true;
|
||||
maxTLSCertDuration = "3600h";
|
||||
defaultTLSCertDuration = "48h";
|
||||
};
|
||||
encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g";
|
||||
key = {
|
||||
alg = "ES256";
|
||||
crv = "P-256";
|
||||
kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE";
|
||||
kty = "EC";
|
||||
use = "sig";
|
||||
x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo";
|
||||
y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0";
|
||||
};
|
||||
name = "ca@home.2rjus.net";
|
||||
type = "JWK";
|
||||
}
|
||||
{
|
||||
name = "acme";
|
||||
type = "ACME";
|
||||
claims = {
|
||||
maxTLSCertDuration = "3600h";
|
||||
defaultTLSCertDuration = "1800h";
|
||||
};
|
||||
}
|
||||
{
|
||||
claims = {
|
||||
enableSSHCA = true;
|
||||
};
|
||||
name = "sshpop";
|
||||
type = "SSHPOP";
|
||||
}
|
||||
];
|
||||
};
|
||||
crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
|
||||
db = {
|
||||
badgerFileLoadingMode = "";
|
||||
dataSource = "/var/lib/step-ca/db";
|
||||
type = "badgerv2";
|
||||
};
|
||||
dnsNames = [
|
||||
"ca.home.2rjus.net"
|
||||
"10.69.13.12"
|
||||
];
|
||||
federatedRoots = null;
|
||||
insecureAddress = "";
|
||||
key = "/var/lib/step-ca/secrets/intermediate_ca_key";
|
||||
logger = {
|
||||
format = "text";
|
||||
};
|
||||
root = "/var/lib/step-ca/certs/root_ca.crt";
|
||||
ssh = {
|
||||
hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key";
|
||||
userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key";
|
||||
};
|
||||
templates = {
|
||||
ssh = {
|
||||
host = [
|
||||
{
|
||||
comment = "#";
|
||||
name = "sshd_config.tpl";
|
||||
path = "/etc/ssh/sshd_config";
|
||||
requires = [
|
||||
"Certificate"
|
||||
"Key"
|
||||
];
|
||||
template = ./templates/ssh/sshd_config.tpl;
|
||||
type = "snippet";
|
||||
}
|
||||
{
|
||||
comment = "#";
|
||||
name = "ca.tpl";
|
||||
path = "/etc/ssh/ca.pub";
|
||||
template = ./templates/ssh/ca.tpl;
|
||||
type = "snippet";
|
||||
}
|
||||
];
|
||||
user = [
|
||||
{
|
||||
comment = "#";
|
||||
name = "config.tpl";
|
||||
path = "~/.ssh/config";
|
||||
template = ./templates/ssh/config.tpl;
|
||||
type = "snippet";
|
||||
}
|
||||
{
|
||||
comment = "#";
|
||||
name = "step_includes.tpl";
|
||||
path = "\${STEPPATH}/ssh/includes";
|
||||
template = ./templates/ssh/step_includes.tpl;
|
||||
type = "prepend-line";
|
||||
}
|
||||
{
|
||||
comment = "#";
|
||||
name = "step_config.tpl";
|
||||
path = "ssh/config";
|
||||
template = ./templates/ssh/step_config.tpl;
|
||||
type = "file";
|
||||
}
|
||||
{
|
||||
comment = "#";
|
||||
name = "known_hosts.tpl";
|
||||
path = "ssh/known_hosts";
|
||||
template = ./templates/ssh/known_hosts.tpl;
|
||||
type = "file";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
tls = {
|
||||
cipherSuites = [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||
];
|
||||
maxVersion = 1.3;
|
||||
minVersion = 1.2;
|
||||
renegotiation = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
Binary file not shown.
@@ -1,14 +0,0 @@
|
||||
Host *
|
||||
{{- if or .User.GOOS "none" | eq "windows" }}
|
||||
{{- if .User.StepBasePath }}
|
||||
Include "{{ .User.StepBasePath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes"
|
||||
{{- else }}
|
||||
Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes"
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- if .User.StepBasePath }}
|
||||
Include "{{.User.StepBasePath}}/ssh/includes"
|
||||
{{- else }}
|
||||
Include "{{.User.StepPath}}/ssh/includes"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,4 +0,0 @@
|
||||
@cert-authority * {{.Step.SSH.HostKey.Type}} {{.Step.SSH.HostKey.Marshal | toString | b64enc}}
|
||||
{{- range .Step.SSH.HostFederatedKeys}}
|
||||
@cert-authority * {{.Type}} {{.Marshal | toString | b64enc}}
|
||||
{{- end }}
|
||||
@@ -1,4 +0,0 @@
|
||||
Match all
|
||||
TrustedUserCAKeys /etc/ssh/ca.pub
|
||||
HostCertificate /etc/ssh/{{.User.Certificate}}
|
||||
HostKey /etc/ssh/{{.User.Key}}
|
||||
@@ -1,11 +0,0 @@
|
||||
Match exec "step ssh check-host{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %h"
|
||||
{{- if .User.User }}
|
||||
User {{.User.User}}
|
||||
{{- end }}
|
||||
{{- if or .User.GOOS "none" | eq "windows" }}
|
||||
UserKnownHostsFile "{{.User.StepPath}}\ssh\known_hosts"
|
||||
ProxyCommand C:\Windows\System32\cmd.exe /c step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p
|
||||
{{- else }}
|
||||
UserKnownHostsFile "{{.User.StepPath}}/ssh/known_hosts"
|
||||
ProxyCommand step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p
|
||||
{{- end }}
|
||||
@@ -1 +0,0 @@
|
||||
{{- if or .User.GOOS "none" | eq "windows" }}Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/config"{{- else }}Include "{{.User.StepPath}}/ssh/config"{{- end }}
|
||||
Reference in New Issue
Block a user