step-ca + nginx

home-modules/profiles/tools/common.nix

@@ -29,5 +29,7 @@
     watch
     zstd
     yq
+    step-cli
+    step-ca
   ];
 }

nixos-configurations/adama.nix

@@ -11,27 +11,33 @@
     ezModules.profiles
     ezModules.sshd
     ezModules.user-peteresselius
+    ezModules.ca
+    ezModules.nginx
   ];
 
   nixpkgs.hostPlatform = "aarch64-linux";
 
   system.stateVersion = "24.05";
 
   context = "home";
+  formfactor = "server";
 
   networking.firewall.allowedTCPPorts = [
-    1880  # Node-RED
-    1883  # Mosquitto
-    3000  # Grafana
-    3030  # Loki
-    8099  # Zigbee2MQTT
-    9000  # Authentik
-    9001  # Prometheus
-    9100  # Node Exporter
-    9121  # Redis Exporter
-    9187  # Postgres Exporter
-    9300  # Authentik Metrics
-    28183 # Promtail
+    443  # Nginx
+    # 1880 # Node-RED
+    1883 # Mosquitto
+    # 3000 # Grafana
+    # 3030 # Loki
+    # 6052 # ESPHome
+    # 8099 # Zigbee2MQTT
+    8443 # Step CA
+    # 9000 # Authentik
+    # 9001 # Prometheus
+    # 9100 # Node Exporter
+    # 9121 # Redis Exporter
+    # 9187 # Postgres Exporter
+    # 9300 # Authentik Metrics
+    # 28183 # Promtail
   ];
 
   age.secrets.authentik-env.file = ../secrets/authentik-env.age;
@@ -48,6 +54,7 @@
 
   profiles.auth = {
     enable = true;
+    domain = "authentik.adama.lan";
   };
 
   services.authentik.environmentFile = config.age.secrets.authentik-env.path;
@@ -93,16 +100,18 @@
       }
     ];
   }];
+
   profiles.monitoring = {
     enable = true;
-    domain = "adama";
+    domain = "grafana.adama.lan";
+    root_url = "https://grafana.adama.lan/";
     oauth = {
       name = "Authentik";
       client_id_file = builtins.toFile "grafana-client-id" "grafana";
       client_secret_file = builtins.toFile "grafana-client-secret" "secret";
-      auth_url = "http://adama:9000/application/o/authorize/";
-      token_url = "http://adama:9000/application/o/token/";
-      api_url = "http://adama:9000/application/o/userinfo/";
+      auth_url = "https://authentik.adama.lan/application/o/authorize/";
+      token_url = "https://authentik.adama.lan/application/o/token/";
+      api_url = "https://authentik.adama.lan/application/o/userinfo/";
     };
   };
 }

nixos-modules/ca.nix

@@ -0,0 +1,32 @@
+{ config, ... }:
+
+{
+  age.secrets.step-ca.file = ../secrets/step-ca.age;
+
+  services.step-ca = {
+    enable = true;
+
+    port = 8443;
+    address = "0.0.0.0";
+
+    intermediatePasswordFile = config.age.secrets.step-ca.path;
+
+    settings = {
+      root = "/var/lib/step-ca/certs/root_ca.crt";
+      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
+      key = "/var/lib/step-ca/secrets/intermediate_ca_key";
+
+      dnsNames = [ "adama" ];
+
+      db = {
+        type = "badgerv2";
+        dataSource = "/var/lib/step-ca/db";
+      };
+
+      authority.provisioners = [{
+        type = "ACME";
+        name = "my-acme-provisioner";
+      }];
+    };
+  };
+}

nixos-modules/nginx.nix

@@ -0,0 +1,22 @@
+{
+  security.pki.certificateFiles = [ ../root_ca.crt ];
+
+  security.acme = {
+    acceptTerms = true;
+
+    defaults = {
+      email = "[email protected]";
+      server = "https://adama:8443/acme/my-acme-provisioner/directory";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+
+    statusPage = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+  };
+}

nixos-modules/profiles/auth.nix

@@ -23,6 +23,15 @@ in
   };
 
   config = mkIf cfg.enable {
+    services.nginx.virtualHosts."authentik.adama.lan" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "http://127.0.0.1:9000";
+      };
+    };
+
     services.authentik = {
       enable = true;
       settings = {

nixos-modules/profiles/monitoring.nix

@@ -36,6 +36,16 @@ in
     };
   };
   config = mkIf cfg.enable {
+    services.nginx.virtualHosts."grafana.adama.lan" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        recommendedProxySettings = true;
+        proxyWebsockets = true;
+        proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+      };
+    };
+
     services.grafana = {
       enable = true;
       settings = {
@@ -99,6 +109,15 @@ in
       };
     };
 
+    services.nginx.virtualHosts."prometheus.adama.lan" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}";
+      };
+    };
+
     services.prometheus = {
       enable = true;
       port = 9001;

nixos-modules/profiles/smarthome.nix

@@ -22,6 +22,15 @@ in
       }];
     };
 
+    services.nginx.virtualHosts."zigbee2mqtt.adama.lan" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "http://127.0.0.1:${toString config.services.zigbee2mqtt.settings.frontend.port}";
+      };
+    };
+
     services.zigbee2mqtt = {
       enable = true;
       package = pkgs-unstable.zigbee2mqtt;
@@ -37,7 +46,7 @@ in
         advanced = {
           pan_id = 56089;
           ext_pan_id = [ 154 147 150 234 96 16 140 189 ];
-          network_key = "!" + config.age.secrets.z2m.path +  " network_key";
+          network_key = "!" + config.age.secrets.z2m.path + " network_key";
           channel = 11;
           last_seen = "ISO_8601";
           log_level = "warning";
@@ -46,6 +55,15 @@ in
       };
     };
 
+    services.nginx.virtualHosts."node-red.adama.lan" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "http://127.0.0.1:${toString config.services.node-red.port}";
+      };
+    };
+
     services.node-red = {
       enable = true;
       withNpmAndGcc = true;

root_ca.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnzCCAUWgAwIBAgIQEqhB9wteCFwsAxDgcKsKRTAKBggqhkjOPQQDAjAuMREw
+DwYDVQQKEwhFc3NlbGl1czEZMBcGA1UEAxMQRXNzZWxpdXMgUm9vdCBDQTAeFw0y
+NDAzMjExMTA4MDJaFw0zNDAzMTkxMTA4MDJaMC4xETAPBgNVBAoTCEVzc2VsaXVz
+MRkwFwYDVQQDExBFc3NlbGl1cyBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAEDFyVnw9a+uM5f8KctkrH63cc8hQUV1H9QvSjRAP8gnsSBtOJJJhSGRIZ
+LzdxZFcZyiTsoN2DyWWLzYj2lpcEpaNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1Ud
+EwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFBImsc+Zj4wOZ4mWjNoE65EietstMAoG
+CCqGSM49BAMCA0gAMEUCIQCwnYHGs6V9inKvQlj1KwPY7vYPSdrn4T624Qv2pCZc
+nAIgI8mAPkwwgLu+870fNSMvCI+WNMfAiJYFMmi/4Nia35g=
+-----END CERTIFICATE-----

secrets/secrets.nix

@@ -10,4 +10,5 @@ in
   "github-token.age".publicKeys = [ work-peteresselius home-peteresselius ];
   "authentik-env.age".publicKeys = [ home-peteresselius adama ];
   "z2m.age".publicKeys = [ home-peteresselius adama ];
+  "step-ca.age".publicKeys = [ home-peteresselius adama ];
 }

secrets/step-ca.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 q0q77g EaYCXg01g9zB0MNUeDUlFqTxMTE6ROcjR4lAeRb5vjE
+w3+wqGBMYQOAjuii89VLHoKBZSWAl2OJaC7NeFVj6QY
+-> ssh-ed25519 cHttuw OvT52YdGqSf1zCqnLEAa+cO0HCME8uUtrajhQrnUHk8
+LBxaBiZZWNBVSMqVLmo5wcXTvUnPkF+jSDjkmOxssb0
+--- 6LBYoM4gm3xgOZbJFwkvIhLHZHCM6mTPQuo0USsNkBw
+�2A㚔��z�?k�c{c8�9B��9`WNjI�E̤��a��|�k��
<����!�e�=XO�
	rG&