diff --git a/data/internalCA.crt b/data/internalCA.crt new file mode 100644 index 0000000..2f8d774 --- /dev/null +++ b/data/internalCA.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBujCCAWGgAwIBAgIQINyB8JtDFzImcYtBEEbrbzAKBggqhkjOPQQDAjA8MRgw +FgYDVQQKEw9jaGFvc0ludGVybmFsQ0ExIDAeBgNVBAMTF2NoYW9zSW50ZXJuYWxD +QSBSb290IENBMB4XDTIzMTAwNzA5MjYyMloXDTMzMTAwNDA5MjYyMlowPDEYMBYG +A1UEChMPY2hhb3NJbnRlcm5hbENBMSAwHgYDVQQDExdjaGFvc0ludGVybmFsQ0Eg +Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFRmFlfmZyu0k0gt3SpK +X+87L2L6Ty0ddQoTVh6O/PnqSc5583oWjD3I8La8CP0Ehadr+MZ6qnTlng2Z5G+0 +4PWjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud +DgQWBBQSdzj+Rld9GOvs4T2BuFlqk19d5zAKBggqhkjOPQQDAgNHADBEAiADlN6S +1AgXe0M3Jp9KMI17amhbJFJY+RKhZG8iXjLi5AIgBR1prsckn0cH6J5l1R2UFVfP +JXQxoNNf9ZJcgA9uOww= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/hosts/vault/data/ca.json b/hosts/vault/data/ca.json new file mode 100644 index 0000000..6dfe9b3 --- /dev/null +++ b/hosts/vault/data/ca.json @@ -0,0 +1,50 @@ +{ + "root": "/var/lib/step-ca/certs/root_ca.crt", + "federatedRoots": null, + "crt": "/var/lib/step-ca/certs/intermediate_ca.crt", + "key": "/var/lib/step-ca/secrets/intermediate_ca_key", + "address": ":8443", + "insecureAddress": "", + "dnsNames": [ + "internal-ca.genderfucked.monster" + ], + "logger": { + "format": "text" + }, + "db": { + "type": "badgerv2", + "dataSource": "/var/lib/step-ca/db", + "badgerFileLoadingMode": "" + }, + "authority": { + "provisioners": [ + { + "type": "JWK", + "name": "chaos@owo.monster", + "key": { + "use": "sig", + "kty": "EC", + "kid": "iVF2Pv4bjT49y3A7Fr7VLUX7DRA_agV8MtJO1fPsXak", + "crv": "P-256", + "alg": "ES256", + "x": "eObudoofL4N97swbxJENw_l8CNUJDqY-z7D7FsGuQAo", + "y": "oVh_vs7tyU0hqVp9_rlGg4zf_DEfwt9sP8HvvX-BBpg" + }, + "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiejg2MEtzcTRSdmFjTnlnTzZlODlnQSJ9.UJmlI8NY3E3Q9mxCiQKg3A8w_BrbxRajrWsdFAADTgNSmWvMv9BO2Q.5YJjMQy7CHO0yBT2.bglp3YwvZtGJm8tSRXRt87kCr4sLiNDWUDHdJi5HJOlRQGFpW95tbI_3smJ81fBZHxA8yXXKP4vce-pmheTd_MbKWKjlmATZx6-JrvyVxHgOb80Fqdlb7GTVHkTu6fOYJzZtFUHswNvKdhJ4kHzQzs09ukc3KZRRCl9t2OV_jSY0ag8EhEAfqDCHAhx9V4Rlg6E10oLHA2kCGo7Z8bE_mClRPd9sFCIg4C0WdvIlXRJk3-Hs7tqCrGXBq50vZf28VjvS2B2JrtEGzK6CU1338GJ6oT3I7BaMF1X9IS-UfU3mUrGalwr8j7MV7-ezDwlEoCnFhQbD2UOVC0nHRyE.Ta-x2FImNtgtlIlIiWdpAA" + }, + { + "type": "ACME", + "name": "acme" + } + ] + }, + "tls": { + "cipherSuites": [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ], + "minVersion": 1.2, + "maxVersion": 1.3, + "renegotiation": false + } +} \ No newline at end of file diff --git a/hosts/vault/profiles/internalCA.nix b/hosts/vault/profiles/internalCA.nix new file mode 100644 index 0000000..13594d9 --- /dev/null +++ b/hosts/vault/profiles/internalCA.nix @@ -0,0 +1,20 @@ +{ + pkgs, + config, + ... +}: let + secrets = config.services.secrets.secrets; +in { + environment.systemPackages = with pkgs; [ + step-cli + step-ca + ]; + + services.step-ca = { + enable = true; + address = "0.0.0.0"; + port = 8443; + intermediatePasswordFile = secrets.internal_ca_password.path; + settings = builtins.fromJSON (builtins.readFile ../data/ca.json); + }; +} diff --git a/hosts/vault/profiles/restic.nix b/hosts/vault/profiles/restic.nix index 916774e..521aafc 100644 --- a/hosts/vault/profiles/restic.nix +++ b/hosts/vault/profiles/restic.nix @@ -7,7 +7,10 @@ in { services.restic.backups.vault = { user = "root"; - paths = ["/var/lib/vault"]; + paths = [ + "/var/lib/vault" + "/var/lib/private/step-ca" + ]; timerConfig = { OnBootSec = "1m"; OnCalendar = "6h"; diff --git a/hosts/vault/profiles/vault.nix b/hosts/vault/profiles/vault.nix index 97d6703..22ce553 100644 --- a/hosts/vault/profiles/vault.nix +++ b/hosts/vault/profiles/vault.nix @@ -16,4 +16,16 @@ "/".proxyPass = "http://127.0.0.1:8200"; }; }; + + security.acme.certs."vault.genderfucked.monster" = { + server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory"; + }; + + services.nginx.virtualHosts."vault.genderfucked.monster" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://127.0.0.1:8200"; + }; + }; } diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix index 69b8c08..0b534e8 100644 --- a/hosts/vault/secrets.nix +++ b/hosts/vault/secrets.nix @@ -21,6 +21,8 @@ "private-public-keys/data/restic/Vault" "api-keys/data/storage/restic/Vault" + + "infra/data/internalCAPassword" ]; secrets = { @@ -68,6 +70,12 @@ echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile" ''; }; + + internal_ca_password = { + fetchScript = '' + simple_get "/infra/internalCAPassword" .password > "$secretFile" + ''; + }; }; }; } diff --git a/hosts/vault/vault.nix b/hosts/vault/vault.nix index 84b4b95..9666fbf 100644 --- a/hosts/vault/vault.nix +++ b/hosts/vault/vault.nix @@ -16,6 +16,7 @@ vault vaultUI restic + internalCA ]); networking.hostName = "vault"; diff --git a/profiles/base/internalCA.nix b/profiles/base/internalCA.nix new file mode 100644 index 0000000..37d7616 --- /dev/null +++ b/profiles/base/internalCA.nix @@ -0,0 +1,5 @@ +{...}: { + security.pki.certificateFiles = [ + ../../data/internalCA.crt + ]; +}