hd/cfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

self signed cert

Browse source
This commit is contained in:
Henri Dohmen 2025-10-04 14:04:17 +02:00
parent 0e25e7cacc
commit 4a2f900c5a
Signed by: hd
GPG key ID: AB79213B044674AE
9 changed files with 100 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

30
bin/gen-tls-cert Executable file
View file

@ -0,0 +1,30 @@
#!/bin/sh
tmp=$(mktemp -d)
trap 'rm -rf -- "$keyfile"' EXIT
# ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
openssl req -x509 -nodes \
-newkey RSA:2048 \
-keyout "$tmp/ca.key" \
-days 365 \
-out "$tmp/ca.cert" \
-subj '/CN=hd_root' \
rm secrets/tlskey.age
openssl req -nodes \
-newkey rsa:2048 \
-keyout - \
-out "$tmp/server.csr" \
-subj '/CN=lan' \
| agenix -e secrets/tlskey.age
openssl x509 -req \
-CA "$tmp/ca.cert" \
-CAkey "$tmp/ca.key" \
-in "$tmp/server.csr" \
-out pki/server.cert \
-days 365 \
-CAcreateserial \
-extfile <(printf "subjectAltName=DNS:roam.lan,DNS:*.roam.lan\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage=digitalSignature,keyEncipherment\nextendedKeyUsage=serverAuth")
mv "$tmp/ca.cert" pki/ca.cert

2
common/security.nix
View file

@ -93,5 +93,7 @@
} }
]; ];
}; };
pki.certificateFiles = [ ../pki/ca.cert ];
}; };
} }

1
flake.nix
View file

@ -115,6 +115,7 @@
buildInputs = [ buildInputs = [
colmena.packages.${system}.colmena colmena.packages.${system}.colmena
agenix.packages.${system}.default agenix.packages.${system}.default
pkgs.openssl
]; ];
}; };
formatter = pkgs.nixfmt-tree; formatter = pkgs.nixfmt-tree;

11
host/roam/services.nix
View file

@ -1,13 +1,15 @@
{ {
var, var,
config,
secrets,
... ...
}: }:
{ {
services = { services = {
nginx = { nginx = {
recommendedTlsSettings = true; # recommendedTlsSettings = true;
recommendedProxySettings = true; # recommendedProxySettings = true;
recommendedOptimisation = true; # recommendedOptimisation = true;
enable = true; enable = true;
virtualHosts.default = { virtualHosts.default = {
@ -16,11 +18,12 @@
rejectSSL = true; rejectSSL = true;
locations."/".return = "444"; locations."/".return = "444";
}; };
virtualHostsPriv."roam.lan" = { privateVirtualHosts."roam.lan" = {
locations."/" = { }; locations."/" = { };
}; };
virtualHosts."roam.hdohmen.de" = { virtualHosts."roam.hdohmen.de" = {
enableACME = true; enableACME = true;
forceSSL = true;
locations."/" = { }; locations."/" = { };
}; };
}; };

22
mod/nginx.nix
View file

@ -3,35 +3,45 @@
options, options,
config, config,
var, var,
secrets,
... ...
}: }:
with lib; with lib;
{ {
options.services.nginx.virtualHostsPriv = mkOption { options.services.nginx.privateVirtualHosts = mkOption {
type = options.services.nginx.virtualHosts.type; type = options.services.nginx.virtualHosts.type;
default = { }; default = { };
description = "Declarative vhost config listening on onet"; description = "Declarative vhost config listening on onet";
}; };
config = { config = mkIf (config.services.nginx.privateVirtualHosts != { }) {
age.secrets.tlskey = {
file = secrets."tlskey.age";
mode = "440";
owner = config.services.nginx.user;
group = config.services.nginx.group;
};
services.nginx.virtualHosts = builtins.mapAttrs ( services.nginx.virtualHosts = builtins.mapAttrs (
_: v: _: v:
v v
// { // {
sslCertificateKey = config.age.secrets.tlskey.path;
sslCertificate = ../pki/server.cert;
addSSL = true;
listen = [ listen = [
{ {
addr = var.wg.ips.roam; addr = var.wg.ips.roam;
port = 80; port = 80;
} }
/* {
{ TODO: Fix certs
addr = var.wg.ips.roam; addr = var.wg.ips.roam;
port = 443; port = 443;
ssl = true; ssl = true;
} }
*/
]; ];
} }
) config.services.nginx.virtualHostsPriv; ) config.services.nginx.privateVirtualHosts;
}; };
} }

19
pki/ca.cert Normal file
View file

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIUQZNUMLFIGLdsj9Cj3a3TpX45Wv0wDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHaGRfcm9vdDAeFw0yNTEwMDQxMTU3NTdaFw0yNjEwMDQx
MTU3NTdaMBIxEDAOBgNVBAMMB2hkX3Jvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC7bpbr+iJ4O5asQmy3bP1xe0hgNkU3BqKGxFmQ5neKDMBEhnHt
ubb0jlPDns9reawX/2/7MGZFKTHvjlzZdKkSA+7t/afRs4O/sP3gqN0N7g6QdRGt
aC+7skib+tN1mrx7ZlL3UXhDE4iLhwff1PJdsGuwW3Kt4GoXISwaQlFrAhGNyuB9
5ZQuGk4TySiBRsghg/Q54V7njl7Ob5XfH2MfgONPTpd7j58kA4g5Y5HJYK6THdzU
GZG5YrxWdmxRRhXC0LFPvS/QRc/HzvOdjryEgAQBl0VUNaU+hsd0smxNWFCbUIx3
XafZXxlDGFnU8ktbkgHnMjlgbteBYxx9BB/BAgMBAAGjUzBRMB0GA1UdDgQWBBQM
lKKCnjZOHyPIm1peyUgQLErdRTAfBgNVHSMEGDAWgBQMlKKCnjZOHyPIm1peyUgQ
LErdRTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCMviNrad9B
I2XL3grAeyWAsbo9Ne4UApozzjInbX/fczxuP0QL9zSt6l3FVgN2HOnd56NjwSKF
LJyGJwjO+HoC6XDGIcMwFvch16FSTzuORKMCjWOXEq2ZFsbTa8fcSyfXRq+xcdc+
lgaqsEMBaO3vi19nFxEOO7Ps467F46uHF8RuTCnslI0UCHWiHoOT0n0E7Pr++IX/
bsVeL5xRKivi37JMAkAGWPH3qqpk4wh3dgLbPBcwDf/nf6ERS2yGtAF1Ucwpg/9W
7jvtw3TScoL4Fwl0X52aaF1WqRaS1Ovo3DLP8QfeyUVtDCxKdc+YgwXRJ963QDsX
Oj33DVkzEVG1
-----END CERTIFICATE-----

20
pki/server.cert Normal file
View file

@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIUNoexai8hK2EXKI7S0NuZFuhtVF0wDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHaGRfcm9vdDAeFw0yNTEwMDQxMTU3NTdaFw0yNjEwMDQx
MTU3NTdaMA4xDDAKBgNVBAMMA2xhbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMY1qSgzUCcRRyJXsd+8KWRfPS4BMWXRKJwsH3RKXBEFVO5SZGynV5AD
W6sUw/2VeIW1LLhpt7AnEblJ0zVNcIcFyisAGQK0sLgSmPZ0q6j1MHXd37hVQ5GX
7DQ/ZMSPuOJgCpSjWVvCmnUOWlkZtqUpPKIxpHH5YsakbLorQgHiGYjiHeWJTqM7
Ahi9IaMCRwgBK0G8TQ3jI2CUk1OxX4r48pxp7kR3u+rRLec5ZdzefMboyL6m9K4P
r3MA10uF8SvzEC9IH1PixGMgqW6iMBsscuNGMoWPf6MWnJwYr3DOe1B8G0VrFdZg
mENh84jJhPcKrHTsszdj8fkl0K30ezsCAwEAAaOBkTCBjjAfBgNVHREEGDAWgghy
b2FtLmxhboIKKi5yb2FtLmxhbjAfBgNVHSMEGDAWgBQMlKKCnjZOHyPIm1peyUgQ
LErdRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD
ATAdBgNVHQ4EFgQU7XO2i2IykvfcecBTdKGUA8zYxAUwDQYJKoZIhvcNAQELBQAD
ggEBACCt6e3OSOVhqf/hD4rOJMi8rTlOMBroI8ErbDuXKF3NBNfe3vIZBtqaDxeC
1XhuSFAH5RYJupRF/vRlW58M+r1qeRakhHIpFEJDJle0dr3kw27IS+OyxSH4d3vd
3PvUsPLAtO8Cz/SXo6OkkEboNwEWmCuOWjyyj2lbDVpO3wPVUcy7kRLQBqGnv+Eu
xY059qByIZqr0SKrn0MttCRZbfzngdVXyQjC9wyTrQ+yDCE0Cng5omvw7pFrUb/W
0v/JJYXrXXM7/JEtxC2+kbp3uH8zcDorOS3pVtHRROhHSvi83ggTHFCEXzUVtWNH
M7aWXTM62DaugxDtvaPkfyS4Bv8=
-----END CERTIFICATE-----

1
secrets.nix
View file

@ -6,6 +6,7 @@ let
"roam/rclone-conf" "roam/rclone-conf"
"roam/firefox-sync-secret" "roam/firefox-sync-secret"
"hd-password" "hd-password"
"tlskey"
]; ];
in in
builtins.foldl' (acc: x: acc // { "secrets/${x}.age".publicKeys = keys; }) { } secrets builtins.foldl' (acc: x: acc // { "secrets/${x}.age".publicKeys = keys; }) { } secrets

BIN
secrets/tlskey.age Normal file
View file

Binary file not shown.