commit a6b1a7218c8c46a26d88edc75a6b2f5ccc7b7caf
parent 3112c5b1e93e792fecc1a92c77e5b45d1fa5471b
Author: Katja (ctucx) <git@ctu.cx>
Date: Wed, 12 Mar 2025 19:01:21 +0100
parent 3112c5b1e93e792fecc1a92c77e5b45d1fa5471b
Author: Katja (ctucx) <git@ctu.cx>
Date: Wed, 12 Mar 2025 19:01:21 +0100
nginx: implement crl for ssl-client-auth
6 files changed, 65 insertions(+), 19 deletions(-)
diff --git a/configurations/nixos/configure/smarthome/mqtt-webui/default.nix b/configurations/nixos/configure/smarthome/mqtt-webui/default.nix @@ -11,6 +11,7 @@ forceSSL = true; kTLS = true; extraConfig = '' + ssl_crl /etc/ctucxCA.crl; ssl_client_certificate ${../../../../../secrets/certs/rootCA.crt}; ssl_verify_client on; '';
diff --git a/configurations/nixos/configure/smarthome/zigbee2mqtt.nix b/configurations/nixos/configure/smarthome/zigbee2mqtt.nix @@ -33,6 +33,7 @@ forceSSL = true; kTLS = true; extraConfig = '' + ssl_crl /etc/ctucxCA.crl; ssl_client_certificate ${../../../../secrets/certs/rootCA.crt}; ssl_verify_client on; '';
diff --git a/configurations/nixos/default.nix b/configurations/nixos/default.nix @@ -69,7 +69,38 @@ in { gc.dates = "18:00"; }; - systemd.services.nginx.onFailure = [ "email-notify@%i.service" ]; + systemd.services = let + ctucxCAgetCRL = pkgs.writeShellScript "ctucxCAgetCRL" '' + ${lib.getExe pkgs.curl} -s -o /tmp/ctucxCAcrl.der '${( + if config.services.step-ca.enable then + "http://${config.services.step-ca.settings.insecureAddress}/1.0/crl" + else + "https://ca.ctu.cx/1.0/crl" + )}'; + + cp ${../../secrets/certs/rootCA.crl} /etc/ctucxCA.crl; + ${lib.getExe pkgs.openssl} crl -in /tmp/ctucxCAcrl.der -inform der >> /etc/ctucxCA.crl; + ''; + + in { + nginx.onFailure = [ "email-notify@%i.service" ]; + ctucxCAgetCRL = { + wantedBy = [ "multi-user.target" ]; + before = [ "nginx.service" ]; + after = lib.mkIf config.services.step-ca.enable [ "step-ca.service" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.ExecStart = ctucxCAgetCRL; + }; + + ctucxCAupdateCRL = { + wantedBy = [ "multi-user.target" ]; + after = lib.mkIf config.services.step-ca.enable [ "step-ca.service" ]; + startAt = [ "*-*-* *:0/10:00" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.ExecStart = ctucxCAgetCRL; + serviceConfig.ExecStartPost = "${pkgs.systemd}/bin/systemctl reload nginx.service"; + }; + }; services = { timesyncd.enable = lib.mkDefault true;
diff --git a/configurations/nixos/services/ca/default.nix b/configurations/nixos/services/ca/default.nix @@ -1,4 +1,4 @@ -{ node, secrets, config, ctucxLib, ... }: +{ node, secrets, config, ctucxLib, pkgs, lib, ... }: { @@ -16,29 +16,34 @@ locations."/1.0/crl".proxyPass = "http://${toString config.services.step-ca.settings.insecureAddress}/1.0/crl"; }; + + systemd.services.step-ca.serviceConfig.ExecStartPost = let + port = lib.last (builtins.split "]:" config.services.step-ca.settings.insecureAddress); + in "${pkgs.bash}/bin/bash -c 'until ${pkgs.netcat}/bin/nc -z ::1 ${port}; do sleep 0.2; done'"; services.step-ca = { enable = true; address = "[2a03:4000:4d:5e:acab::1]"; port = 8443; intermediatePasswordFile = config.age.secrets.caPassword.path; settings = { - insecureAddress = "[::1]:9001"; - logger.format = "text"; - root = ../../../../secrets/certs/rootCA.crt; - crt = ../../../../secrets/certs/intermediateCA.crt; - key = "yubikey:slot-id=83"; - kms.type = "yubikey"; - kms.pin = "123456"; - dnsNames = [ "ca.ctu.cx" ]; - crl.enabled = true; - crl.idpURL = "http://ca.ctu.cx/1.0/crl"; - db.type = "badgerv2"; - db.dataSource = "/var/lib/step-ca/db"; - tls.cipherSuites = [ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ]; - tls.minVersion = 1.2; - tls.maxVersion = 1.3; - tls.renegotiation = false; - authority = { + insecureAddress = "[::1]:9001"; + logger.format = "text"; + root = ../../../../secrets/certs/rootCA.crt; + crt = ../../../../secrets/certs/intermediateCA.crt; + key = "yubikey:slot-id=83"; + kms.type = "yubikey"; + kms.pin = "123456"; + dnsNames = [ "ca.ctu.cx" ]; + crl.enabled = true; + crl.generateOnRevoke = true; + crl.idpURL = "http://ca.ctu.cx/1.0/crl"; + db.type = "badgerv2"; + db.dataSource = "/var/lib/step-ca/db"; + tls.cipherSuites = [ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ]; + tls.minVersion = 1.2; + tls.maxVersion = 1.3; + tls.renegotiation = false; + authority = { provisioners = let adminCA = ctucxLib.toBase64 (builtins.readFile ../../../../secrets/certs/adminCA.crt); in [
diff --git a/configurations/nixos/services/syncthingNginx.nix b/configurations/nixos/services/syncthingNginx.nix @@ -20,6 +20,7 @@ forceSSL = true; kTLS = true; extraConfig = '' + ssl_crl /etc/ctucxCA.crl; ssl_client_certificate ${../../../secrets/certs/rootCA.crt}; ssl_verify_client on; '';
diff --git a/secrets/certs/rootCA.crl b/secrets/certs/rootCA.crl @@ -0,0 +1,7 @@ +-----BEGIN X509 CRL----- +MIG/MGcCAQEwCgYIKoZIzj0EAwIwKDEOMAwGA1UEChMFY3R1Y3gxFjAUBgNVBAMT +DWN0dWN4IFJvb3QgQ0EXDTI1MDMxMjE2NTYyM1oXDTI2MDMxMjE2NTYyM1qgDjAM +MAoGA1UdFAQDAgEAMAoGCCqGSM49BAMCA0gAMEUCICsU443wa5fEzE6BdKvB4IRI +4D/YcE+RjsUlsNNULNqXAiEAuYNUdHMTrkWjJC2RY9efkbV0vwEdzBQiAwtt8rcd +ZoE= +-----END X509 CRL-----