From 544aafd919533465ab8fa51063624d3b852a0a2e Mon Sep 17 00:00:00 2001 From: oqyude Date: Sat, 13 Jun 2026 23:08:34 +0300 Subject: [PATCH] step-ca added --- modules/server/default.nix | 1 + modules/server/secrets/ca.json | 46 ++++++++++++++++ modules/server/secrets/step-ca.yaml | 16 ++++++ modules/server/step-ca.nix | 83 +++++++++++++++++++++++++++++ modules/server/systemd.nix | 18 ------- 5 files changed, 146 insertions(+), 18 deletions(-) create mode 100644 modules/server/secrets/ca.json create mode 100644 modules/server/secrets/step-ca.yaml create mode 100644 modules/server/step-ca.nix diff --git a/modules/server/default.nix b/modules/server/default.nix index 7ea586e..40bb1be 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -20,6 +20,7 @@ ./open-webui.nix ./postgresql.nix ./samba.nix + ./step-ca.nix ./stirling-pdf.nix ./syncthing.nix ./systemd.nix diff --git a/modules/server/secrets/ca.json b/modules/server/secrets/ca.json new file mode 100644 index 0000000..dd87d35 --- /dev/null +++ b/modules/server/secrets/ca.json @@ -0,0 +1,46 @@ +{ + "root": "/root/.step/certs/root_ca.crt", + "federatedRoots": null, + "crt": "/root/.step/certs/intermediate_ca.crt", + "key": "/root/.step/secrets/intermediate_ca_key", + "address": "0.0.0.0:9000", + "insecureAddress": "", + "dnsNames": [ + "ca.zeroq.su" + ], + "logger": { + "format": "text" + }, + "db": { + "type": "badgerv2", + "dataSource": "/root/.step/db", + "badgerFileLoadingMode": "" + }, + "authority": { + "provisioners": [ + { + "type": "JWK", + "name": "oqyude@zeroq.su", + "key": { + "use": "sig", + "kty": "EC", + "kid": "vhOaaOVnwo0MtJVP13ZM60ckirLUqq-5WEbq2PQTQ-w", + "crv": "P-256", + "alg": "ES256", + "x": "0WXy0B9DHwz4POacxrSiml7bbOPFYPKVvyUlm18M5ro", + "y": "AptaeuzpC2TV9_hHAx8s2afDmCa_QJSzke23kCYzKfU" + }, + "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiVTBRS24wUHFJUUZiNTRyRkVYeDVwZyJ9.Xc96u-JxlKELcawpLmyrzqp4_UUY1sAqUo7PX6hBWL8_Ix2RzS8ZwA.fs5K5A9kXmp3KEUu.J1s016RTlqKbfRzQJB1bdz8v93S9PLpU3DqlEvIVnOIEhovL9vG5dzPLAfLApZ_MArHhubVkirHhZHB4fYd3KvbFpCRaYQomB4vP0V188zclL7gyatiQ36R_fTG_oiRiKHeP0nPubVpL-I-ESdtXR05pMQtit5A1luLGm3H78FuTF883Hiz-hc84v8E-nq0Z5l5zQeV-fy4QaCFzg1_5s7MacNlgplDLopzbfJIhp3SDKiwWjsotPjsuKMSQ-blawbBL5skf44t23hDelSaRvASq8-Dq-hkBLsKssMX7SzccHPWpxazZ07Ug8PKc8_o2kxc6k5-K0Xr5tY4h8VI.YSsnw_InABsga1SCjLtq1g" + } + ] + }, + "tls": { + "cipherSuites": [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ], + "minVersion": 1.2, + "maxVersion": 1.3, + "renegotiation": false + } +} \ No newline at end of file diff --git a/modules/server/secrets/step-ca.yaml b/modules/server/secrets/step-ca.yaml new file mode 100644 index 0000000..4ecf494 --- /dev/null +++ b/modules/server/secrets/step-ca.yaml @@ -0,0 +1,16 @@ +intermediate-password: ENC[AES256_GCM,data:SvV5uYVXVTuhh/dhzXIDJw69dJ3s33a0ibKCyDWnfyA=,iv:S9VydNWm4PL+quWQ7arCmSFXa6YO1/hL+xrYty/2IPE=,tag:zHJ6/ZNRfs9w9vrt77xdow==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5K3YyYkRkVkxwamMybWRj + WGxEZnc3TGRYRHNtTXRZYlZKQ2hBK0YrQjNZCndVQVhYcTJqRitCdUdmMjduTk1M + azNnMUhHKzB1M25vZGFScjZBcHJOaUEKLS0tIHJBRnZwamhvYU1ybFVFMFZsTmVS + ZmN3NTVnZ1RwRkNzTUxJTjVGMU4yUHMKMEZdpDBm6pdZmrFidkOdivnnd2/b8OO/ + IUYmiWPlPd1IDV1NeMtlSYtO8exzB22XL9DqW4x/tJ7DeSZaBsjcOw== + -----END AGE ENCRYPTED FILE----- + recipient: age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm + lastmodified: "2026-06-13T22:59:34Z" + mac: ENC[AES256_GCM,data:72E73xauS1Xrfw6tcyN/PHSJZ4ZZnIeKp8JVUPFGPBvIzaD6ZThYZwQ10FDD4JF+YOwn3QhCEh3t0ozcSNNnJFkyBgSqFtRMkym0ede12VAOPu2wQFoNvMdkT7+n14lJ/9OOz6KDyMf0BQDJKlSfDBkt+mLi61zte5iUxPsWsp4=,iv:xuOwFBEnlRgbaVdMq4O6w9T2edpS6uEPh9yhNbYBJIk=,tag:Y+dtcU17Q83o/9Nt1LGCcg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.1 diff --git a/modules/server/step-ca.nix b/modules/server/step-ca.nix new file mode 100644 index 0000000..f14dea3 --- /dev/null +++ b/modules/server/step-ca.nix @@ -0,0 +1,83 @@ +{ + config, + inputs, + pkgs, + xlib, + ... +}: +let + configDir = "${xlib.dirs.services-mnt-folder}/step-ca"; + varDir = "/var/lib/step-ca"; +in +{ + services.step-ca = { + enable = true; + address = "0.0.0.0"; + port = 9000; + openFirewall = true; + intermediatePasswordFile = config.sops.secrets.intermediate-password.path; + settings = { + root = "${varDir}/certs/root_ca.crt"; + crt = "${varDir}/certs/intermediate_ca.crt"; + key = "${varDir}/secrets/intermediate_ca_key"; + # address = "0.0.0.0:9000"; + dnsNames = [ + "ca.zeroq.su" + ]; + db = { + type = "badgerv2"; + dataSource = "${varDir}/db"; + }; + authority = { + provisioners = [ + { + type = "JWK"; + name = "oqyude@zeroq.su"; + key = { + use = "sig"; + kty = "EC"; + kid = "XEpzFJA-sedFf0ANCiEH1UDaSvrHiZabLahQOyoAYmc"; + crv = "P-256"; + alg = "ES256"; + x = "AGHevH0UU7_abhE6d8JhNuNRgXBeVI7qCldZrFfkn5o"; + y = "pLKOpAwUiGRv4HRQUyiXFAMqsywTjrjazeEkDOr29Sk"; + }; + encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoibFlONzBwMWJiVzc0MDlGaS1EOEZVUSJ9.zBEsf2hAaj4yyy_Lk1Jss7h5Hn68kz6UMeg3Jz3X_VVeMWLvcoRVaw.tpY50S9CSzmcfWXz.u5ta_Yd3GLMz19RKA2WondVIwTGbGs3is5v7_D0aUOtQ0158d4GcjrOHFD2PexaackbTNuUPtqa2X38ypnFq5wh1uq3udWu-qWRjRSd_YkY4YJt_GWFvUHQ_jldx0NSfMDNGndU2IakR62-9WklEjU3UGmUeaPGP9DTuzmdJa36t2aLuPuNnmV-tEJIH3eQ5huU8nLy1ROZjdkrF-agHh78EG_Ss8P4vHuqOtTAjZW3YCtfSfb57iKAsbrk3nUTo6zhPc0ds8cPB7Rva0K8Rj2Pf3apB7qZnCVF5zBiu1icvhOYIfwVQAiqpdz6qMi42QSBWZ4ROu4Db2q5a6D0.AS7Dr3v_Niiwy7aHIR-0bw"; + } + ]; + }; + }; + }; + + fileSystems."${varDir}" = { + device = "${configDir}"; + fsType = "none"; + options = [ + "bind" + "nofail" + ]; + }; + + environment = { + systemPackages = with pkgs; [ + step-cli + ]; + }; + + systemd.tmpfiles.rules = [ + "d ${configDir} 0755 nobody nogroup -" + "z ${configDir} 0755 nobody nogroup -" + "Z ${configDir}/ 0700 nobody nogroup -" + ]; + + sops.secrets = { + intermediate-password = { + format = "yaml"; + key = "intermediate-password"; + sopsFile = ./secrets/step-ca.yaml; + # owner = "nobody"; + # group = "nogroup"; + mode = "0600"; + }; + }; +} diff --git a/modules/server/systemd.nix b/modules/server/systemd.nix index 65552d6..e0f74dc 100644 --- a/modules/server/systemd.nix +++ b/modules/server/systemd.nix @@ -11,15 +11,6 @@ rsync-archivesta = { # Archivesta description = "Backup data using rsync"; - # wants = [ - # "mnt-archive.mount" - # ]; - # requires = [ - # "mnt-archive.mount" - # ]; - # after = [ - # "mnt-archive.mount" - # ]; unitConfig.RequiresMountsFor = [ "${xlib.dirs.archive-drive}" "${xlib.dirs.server-home}" @@ -42,15 +33,6 @@ rsync-archivesta-lite = { # Archivesta Lite description = "Backup data using rsync"; - # wants = [ - # "mnt-mobile.mount" - # ]; - # after = [ - # "mnt-mobile.mount" - # ]; - # requires = [ - # "mnt-mobile.mount" - # ]; unitConfig.RequiresMountsFor = [ "${xlib.dirs.server-home}" "${xlib.dirs.mobile-drive}"