{ pkgs, unstable, ... }: { sops.secrets."ca_root_pw" = { sopsFile = ../../secrets/ca/secrets.yaml; owner = "step-ca"; path = "/var/lib/step-ca/secrets/ca_root_pw"; }; sops.secrets."intermediate_ca_key" = { sopsFile = ../../secrets/ca/keys/intermediate_ca_key; format = "binary"; owner = "step-ca"; path = "/var/lib/step-ca/secrets/intermediate_ca_key"; }; sops.secrets."root_ca_key" = { sopsFile = ../../secrets/ca/keys/root_ca_key; format = "binary"; owner = "step-ca"; path = "/var/lib/step-ca/secrets/root_ca_key"; }; sops.secrets."ssh_host_ca_key" = { sopsFile = ../../secrets/ca/keys/ssh_host_ca_key; format = "binary"; owner = "step-ca"; path = "/var/lib/step-ca/secrets/ssh_host_ca_key"; }; sops.secrets."ssh_user_ca_key" = { sopsFile = ../../secrets/ca/keys/ssh_user_ca_key; format = "binary"; owner = "step-ca"; path = "/var/lib/step-ca/secrets/ssh_user_ca_key"; }; services.step-ca = { enable = true; package = pkgs.step-ca; intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw"; address = "0.0.0.0"; port = 443; settings = { authority = { provisioners = [ { claims = { enableSSHCA = true; maxTLSCertDuration = "3600h"; defaultTLSCertDuration = "48h"; }; encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g"; key = { alg = "ES256"; crv = "P-256"; kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE"; kty = "EC"; use = "sig"; x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo"; y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0"; }; name = "ca@home.2rjus.net"; type = "JWK"; } { name = "acme"; type = "ACME"; claims = { maxTLSCertDuration = "3600h"; defaultTLSCertDuration = "1800h"; }; } { claims = { enableSSHCA = true; }; name = "sshpop"; type = "SSHPOP"; } ]; }; crt = "/var/lib/step-ca/certs/intermediate_ca.crt"; db = { badgerFileLoadingMode = ""; dataSource = "/var/lib/step-ca/db"; type = "badgerv2"; }; dnsNames = [ "ca.home.2rjus.net" "10.69.13.12" ]; federatedRoots = null; insecureAddress = ""; key = "/var/lib/step-ca/secrets/intermediate_ca_key"; logger = { format = "text"; }; root = "/var/lib/step-ca/certs/root_ca.crt"; ssh = { hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key"; userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key"; }; templates = { ssh = { host = [ { comment = "#"; name = "sshd_config.tpl"; path = "/etc/ssh/sshd_config"; requires = [ "Certificate" "Key" ]; template = ./templates/ssh/sshd_config.tpl; type = "snippet"; } { comment = "#"; name = "ca.tpl"; path = "/etc/ssh/ca.pub"; template = ./templates/ssh/ca.tpl; type = "snippet"; } ]; user = [ { comment = "#"; name = "config.tpl"; path = "~/.ssh/config"; template = ./templates/ssh/config.tpl; type = "snippet"; } { comment = "#"; name = "step_includes.tpl"; path = "\${STEPPATH}/ssh/includes"; template = ./templates/ssh/step_includes.tpl; type = "prepend-line"; } { comment = "#"; name = "step_config.tpl"; path = "ssh/config"; template = ./templates/ssh/step_config.tpl; type = "file"; } { comment = "#"; name = "known_hosts.tpl"; path = "ssh/known_hosts"; template = ./templates/ssh/known_hosts.tpl; type = "file"; } ]; }; }; tls = { cipherSuites = [ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ]; maxVersion = 1.3; minVersion = 1.2; renegotiation = false; }; }; }; }