Luj/snowfield
1
0
Fork 0
mirror of https://github.com/JulienMalka/snowfield.git synced 2025-03-26 05:40:52 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

vhost for step-ca

Browse source
This commit is contained in:
Julien Malka 2023-06-14 12:27:40 +02:00
parent e526cc3628
commit fb1c1d9b99
Signed by: Luj
GPG key ID: 6FC74C847011FD83
2 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/default.nix
View file

@ -81,7 +81,7 @@ in
mkVPNSubdomain = name: port: {
luj.nginx.enable = true;
security.acme.certs."${name}.luj".server = "https://ca.luj:8444/acme/acme/directory";
security.acme.certs."${name}.luj".server = "https://ca.luj/acme/acme/directory";
services.nginx.virtualHosts."${name}.luj" = {
forceSSL = true;
enableACME = true;

13
machines/core-security/default.nix
View file

@ -140,7 +140,6 @@
services.step-ca.intermediatePasswordFile = "/root/capw";
services.step-ca.address = "100.100.45.14";
services.step-ca.port = 8444;
services.step-ca.openFirewall = true;
services.step-ca.settings = builtins.fromJSON ''
{}
'';
@ -150,6 +149,18 @@
"${pkgs.step-ca}/bin/step-ca /etc/smallstep/ca_prod.json --password-file \${CREDENTIALS_DIRECTORY}/intermediate_password"
];
services.nginx.virtualHosts."ca.luj" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:8444";
};
};
security.acme.certs."ca.luj".server = "https://127.0.0.1:8444/acme/acme/directory";
systemd.services."step-ca".after = [ "keycloak.service" ];
security.pki.certificates = [
''-----BEGIN CERTIFICATE-----