chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

setup a internal CA for stuff inside wireguard network

Browse source
This commit is contained in:
chaos 2023-10-07 10:57:15 +01:00
parent 232280d338
commit 5e3b4d25a1
No known key found for this signature in database
8 changed files with 112 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
data/internalCA.crt Normal file
View file

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBujCCAWGgAwIBAgIQINyB8JtDFzImcYtBEEbrbzAKBggqhkjOPQQDAjA8MRgw
FgYDVQQKEw9jaGFvc0ludGVybmFsQ0ExIDAeBgNVBAMTF2NoYW9zSW50ZXJuYWxD
QSBSb290IENBMB4XDTIzMTAwNzA5MjYyMloXDTMzMTAwNDA5MjYyMlowPDEYMBYG
A1UEChMPY2hhb3NJbnRlcm5hbENBMSAwHgYDVQQDExdjaGFvc0ludGVybmFsQ0Eg
Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFRmFlfmZyu0k0gt3SpK
X+87L2L6Ty0ddQoTVh6O/PnqSc5583oWjD3I8La8CP0Ehadr+MZ6qnTlng2Z5G+0
4PWjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud
DgQWBBQSdzj+Rld9GOvs4T2BuFlqk19d5zAKBggqhkjOPQQDAgNHADBEAiADlN6S
1AgXe0M3Jp9KMI17amhbJFJY+RKhZG8iXjLi5AIgBR1prsckn0cH6J5l1R2UFVfP
JXQxoNNf9ZJcgA9uOww=
-----END CERTIFICATE-----

50
hosts/vault/data/ca.json Normal file
View file

@ -0,0 +1,50 @@
{
"root": "/var/lib/step-ca/certs/root_ca.crt",
"federatedRoots": null,
"crt": "/var/lib/step-ca/certs/intermediate_ca.crt",
"key": "/var/lib/step-ca/secrets/intermediate_ca_key",
"address": ":8443",
"insecureAddress": "",
"dnsNames": [
"internal-ca.genderfucked.monster"
],
"logger": {
"format": "text"
},
"db": {
"type": "badgerv2",
"dataSource": "/var/lib/step-ca/db",
"badgerFileLoadingMode": ""
},
"authority": {
"provisioners": [
{
"type": "JWK",
"name": "chaos@owo.monster",
"key": {
"use": "sig",
"kty": "EC",
"kid": "iVF2Pv4bjT49y3A7Fr7VLUX7DRA_agV8MtJO1fPsXak",
"crv": "P-256",
"alg": "ES256",
"x": "eObudoofL4N97swbxJENw_l8CNUJDqY-z7D7FsGuQAo",
"y": "oVh_vs7tyU0hqVp9_rlGg4zf_DEfwt9sP8HvvX-BBpg"
},
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiejg2MEtzcTRSdmFjTnlnTzZlODlnQSJ9.UJmlI8NY3E3Q9mxCiQKg3A8w_BrbxRajrWsdFAADTgNSmWvMv9BO2Q.5YJjMQy7CHO0yBT2.bglp3YwvZtGJm8tSRXRt87kCr4sLiNDWUDHdJi5HJOlRQGFpW95tbI_3smJ81fBZHxA8yXXKP4vce-pmheTd_MbKWKjlmATZx6-JrvyVxHgOb80Fqdlb7GTVHkTu6fOYJzZtFUHswNvKdhJ4kHzQzs09ukc3KZRRCl9t2OV_jSY0ag8EhEAfqDCHAhx9V4Rlg6E10oLHA2kCGo7Z8bE_mClRPd9sFCIg4C0WdvIlXRJk3-Hs7tqCrGXBq50vZf28VjvS2B2JrtEGzK6CU1338GJ6oT3I7BaMF1X9IS-UfU3mUrGalwr8j7MV7-ezDwlEoCnFhQbD2UOVC0nHRyE.Ta-x2FImNtgtlIlIiWdpAA"
},
{
"type": "ACME",
"name": "acme"
}
]
},
"tls": {
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
],
"minVersion": 1.2,
"maxVersion": 1.3,
"renegotiation": false
}
}

20
hosts/vault/profiles/internalCA.nix Normal file
View file

@ -0,0 +1,20 @@
{
pkgs,
config,
...
}: let
secrets = config.services.secrets.secrets;
in {
environment.systemPackages = with pkgs; [
step-cli
step-ca
];
services.step-ca = {
enable = true;
address = "0.0.0.0";
port = 8443;
intermediatePasswordFile = secrets.internal_ca_password.path;
settings = builtins.fromJSON (builtins.readFile ../data/ca.json);
};
}

5
hosts/vault/profiles/restic.nix
View file

@ -7,7 +7,10 @@
in { in {
services.restic.backups.vault = { services.restic.backups.vault = {
user = "root"; user = "root";
paths = ["/var/lib/vault"]; paths = [
"/var/lib/vault"
"/var/lib/private/step-ca"
];
timerConfig = { timerConfig = {
OnBootSec = "1m"; OnBootSec = "1m";
OnCalendar = "6h"; OnCalendar = "6h";

12
hosts/vault/profiles/vault.nix
View file

@ -16,4 +16,16 @@
"/".proxyPass = "http://127.0.0.1:8200"; "/".proxyPass = "http://127.0.0.1:8200";
}; };
}; };
security.acme.certs."vault.genderfucked.monster" = {
server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory";
};
services.nginx.virtualHosts."vault.genderfucked.monster" = {
forceSSL = true;
enableACME = true;
locations = {
"/".proxyPass = "http://127.0.0.1:8200";
};
};
} }

8
hosts/vault/secrets.nix
View file

@ -21,6 +21,8 @@
"private-public-keys/data/restic/Vault" "private-public-keys/data/restic/Vault"
"api-keys/data/storage/restic/Vault" "api-keys/data/storage/restic/Vault"
"infra/data/internalCAPassword"
]; ];
secrets = { secrets = {
@ -68,6 +70,12 @@
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile" echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile"
''; '';
}; };
internal_ca_password = {
fetchScript = ''
simple_get "/infra/internalCAPassword" .password > "$secretFile"
'';
};
}; };
}; };
} }

1
hosts/vault/vault.nix
View file

@ -16,6 +16,7 @@
vault vault
vaultUI vaultUI
restic restic
internalCA
]); ]);
networking.hostName = "vault"; networking.hostName = "vault";

5
profiles/base/internalCA.nix Normal file
View file

@ -0,0 +1,5 @@
{...}: {
security.pki.certificateFiles = [
../../data/internalCA.crt
];
}