setup a internal CA for stuff inside wireguard network

2023-10-07 10:57:15 +01:00 · 2023-10-07 10:57:15 +01:00 · 5e3b4d25a1
parent 232280d338
commit 5e3b4d25a1
8 changed files with 112 additions and 1 deletions
--- a/data/internalCA.crt
+++ b/data/internalCA.crt
@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBujCCAWGgAwIBAgIQINyB8JtDFzImcYtBEEbrbzAKBggqhkjOPQQDAjA8MRgw
+FgYDVQQKEw9jaGFvc0ludGVybmFsQ0ExIDAeBgNVBAMTF2NoYW9zSW50ZXJuYWxD
+QSBSb290IENBMB4XDTIzMTAwNzA5MjYyMloXDTMzMTAwNDA5MjYyMlowPDEYMBYG
+A1UEChMPY2hhb3NJbnRlcm5hbENBMSAwHgYDVQQDExdjaGFvc0ludGVybmFsQ0Eg
+Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFRmFlfmZyu0k0gt3SpK
+X+87L2L6Ty0ddQoTVh6O/PnqSc5583oWjD3I8La8CP0Ehadr+MZ6qnTlng2Z5G+0
+4PWjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud
+DgQWBBQSdzj+Rld9GOvs4T2BuFlqk19d5zAKBggqhkjOPQQDAgNHADBEAiADlN6S
+1AgXe0M3Jp9KMI17amhbJFJY+RKhZG8iXjLi5AIgBR1prsckn0cH6J5l1R2UFVfP
+JXQxoNNf9ZJcgA9uOww=
+-----END CERTIFICATE-----
--- a/hosts/vault/data/ca.json
+++ b/hosts/vault/data/ca.json
@ -0,0 +1,50 @@
+{
+  "root": "/var/lib/step-ca/certs/root_ca.crt",
+  "federatedRoots": null,
+  "crt": "/var/lib/step-ca/certs/intermediate_ca.crt",
+  "key": "/var/lib/step-ca/secrets/intermediate_ca_key",
+  "address": ":8443",
+  "insecureAddress": "",
+  "dnsNames": [
+    "internal-ca.genderfucked.monster"
+  ],
+  "logger": {
+    "format": "text"
+  },
+  "db": {
+    "type": "badgerv2",
+    "dataSource": "/var/lib/step-ca/db",
+    "badgerFileLoadingMode": ""
+  },
+  "authority": {
+    "provisioners": [
+      {
+        "type": "JWK",
+        "name": "chaos@owo.monster",
+        "key": {
+          "use": "sig",
+          "kty": "EC",
+          "kid": "iVF2Pv4bjT49y3A7Fr7VLUX7DRA_agV8MtJO1fPsXak",
+          "crv": "P-256",
+          "alg": "ES256",
+          "x": "eObudoofL4N97swbxJENw_l8CNUJDqY-z7D7FsGuQAo",
+          "y": "oVh_vs7tyU0hqVp9_rlGg4zf_DEfwt9sP8HvvX-BBpg"
+        },
+        "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiejg2MEtzcTRSdmFjTnlnTzZlODlnQSJ9.UJmlI8NY3E3Q9mxCiQKg3A8w_BrbxRajrWsdFAADTgNSmWvMv9BO2Q.5YJjMQy7CHO0yBT2.bglp3YwvZtGJm8tSRXRt87kCr4sLiNDWUDHdJi5HJOlRQGFpW95tbI_3smJ81fBZHxA8yXXKP4vce-pmheTd_MbKWKjlmATZx6-JrvyVxHgOb80Fqdlb7GTVHkTu6fOYJzZtFUHswNvKdhJ4kHzQzs09ukc3KZRRCl9t2OV_jSY0ag8EhEAfqDCHAhx9V4Rlg6E10oLHA2kCGo7Z8bE_mClRPd9sFCIg4C0WdvIlXRJk3-Hs7tqCrGXBq50vZf28VjvS2B2JrtEGzK6CU1338GJ6oT3I7BaMF1X9IS-UfU3mUrGalwr8j7MV7-ezDwlEoCnFhQbD2UOVC0nHRyE.Ta-x2FImNtgtlIlIiWdpAA"
+      },
+      {
+        "type": "ACME",
+        "name": "acme"
+      }
+    ]
+  },
+  "tls": {
+    "cipherSuites": [
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+    ],
+    "minVersion": 1.2,
+    "maxVersion": 1.3,
+    "renegotiation": false
+  }
+}
--- a/hosts/vault/profiles/internalCA.nix
+++ b/hosts/vault/profiles/internalCA.nix
@ -0,0 +1,20 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  secrets = config.services.secrets.secrets;
+in {
+  environment.systemPackages = with pkgs; [
+    step-cli
+    step-ca
+  ];
+
+  services.step-ca = {
+    enable = true;
+    address = "0.0.0.0";
+    port = 8443;
+    intermediatePasswordFile = secrets.internal_ca_password.path;
+    settings = builtins.fromJSON (builtins.readFile ../data/ca.json);
+  };
+}
--- a/hosts/vault/profiles/restic.nix
+++ b/hosts/vault/profiles/restic.nix
@ -7,7 +7,10 @@
 in {
  services.restic.backups.vault = {
    user = "root";
-    paths = ["/var/lib/vault"];
+    paths = [
+      "/var/lib/vault"
+      "/var/lib/private/step-ca"
+    ];
    timerConfig = {
      OnBootSec = "1m";
      OnCalendar = "6h";
--- a/hosts/vault/profiles/vault.nix
+++ b/hosts/vault/profiles/vault.nix
@ -16,4 +16,16 @@
      "/".proxyPass = "http://127.0.0.1:8200";
    };
  };
+
+  security.acme.certs."vault.genderfucked.monster" = {
+    server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory";
+  };
+
+  services.nginx.virtualHosts."vault.genderfucked.monster" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/".proxyPass = "http://127.0.0.1:8200";
+    };
+  };
 }
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -21,6 +21,8 @@
      "private-public-keys/data/restic/Vault"

      "api-keys/data/storage/restic/Vault"
+
+      "infra/data/internalCAPassword"
    ];

    secrets = {
@ -68,6 +70,12 @@
          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile"
        '';
      };
+
+      internal_ca_password = {
+        fetchScript = ''
+          simple_get "/infra/internalCAPassword" .password > "$secretFile"
+        '';
+      };
    };
  };
 }
--- a/hosts/vault/vault.nix
+++ b/hosts/vault/vault.nix
@ -16,6 +16,7 @@
      vault
      vaultUI
      restic
+      internalCA
    ]);

  networking.hostName = "vault";
--- a/profiles/base/internalCA.nix
+++ b/profiles/base/internalCA.nix
@ -0,0 +1,5 @@
+{...}: {
+  security.pki.certificateFiles = [
+    ../../data/internalCA.crt
+  ];
+}