diff options
| -rw-r--r-- | ACME.md | 127 | ||||
| -rw-r--r-- | Home.md | 30 |
2 files changed, 119 insertions, 38 deletions
@@ -1,23 +1,128 @@ -# ACME/SSL +We have our own letsencrypt-like service (ca.r) for internal certificates on the retiolum network. -we now have our own letsencrypt-like service for internal certificates: +## Overview -## howto trust the CA +The `ca.r` is a self-hosted ACME CA using step-ca that issues certificates for `.r` and `.w` domains on the retiolum network. This allows services to use proper TLS certificates without relying on public certificate authorities. + +## Trust the CA (Using Retiolum Module - Recommended) + +The easiest way to trust the ca.r certificates is using the retiolum CA module: + +```nix +# flake.nix +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + retiolum.url = "github:Mic92/retiolum"; + }; + + outputs = { self, nixpkgs, retiolum }: { + nixosConfigurations.myhost = nixpkgs.lib.nixosSystem { + modules = [ + retiolum.nixosModules.ca + { + # This makes your system trust the Krebs CA certificates + retiolum.ca = { + trustIntermediate = true; # Trust intermediate CA for .r and .w domains (default) + trustRoot = false; # Optionally trust root CA (default: false) + acmeURL = "https://ca.r/acme/acme/directory"; # ACME server URL + }; + } + ]; + }; + }; +} ``` + +### Manual Trust (Alternative) + +```nix security.pki.certificateFiles = [(pkgs.fetchurl { - url = "http://ca.r/ca.crt"; # can be also downloaded from some other location like github/cgit - sha256 = "sha256-tEp7OCiFx+6CFj5WzNym7wiBfWfyioeyQLLndf6glDQ="; -})] + url = "http://ca.r/ca.crt"; + hash = "sha256-un5GmMplOmBgKMDhu7YcUJC0R6JFYhZgSeExOPkLs6A="; +})]; ``` -## get a certificate from CA (need to trust CA first) +## Getting Certificates from ca.r -``` +### Basic nginx configuration + +```nix services.nginx.virtualHosts."myservice.r" = { enableACME = true; - addSSL = true; -} + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:8080"; + }; +}; security.acme.certs."myservice.r".server = "https://ca.r/acme/acme/directory"; + +# Don't forget to open firewall ports +networking.firewall.allowedTCPPorts = [ 80 443 ]; +``` + +### For services needing direct certificate access + +```nix +security.acme.certs."myservice.r" = { + server = "https://ca.r/acme/acme/directory"; + group = "myservice"; # Allow service to read certificate + postRun = "systemctl restart myservice.service"; # Restart on renewal +}; + +services.myservice = { + enable = true; + tlsCert = "/var/lib/acme/myservice.r/fullchain.pem"; + tlsKey = "/var/lib/acme/myservice.r/key.pem"; +}; +``` + +## Using config.retiolum.ca.acmeURL + +If you're using the retiolum module, you can reference the ACME URL directly: + +```nix +security.acme.certs."myservice.r" = { + server = config.retiolum.ca.acmeURL; +}; ``` -don't forget to open the firewall ports.
\ No newline at end of file +## Certificate Details + +Certificates issued by ca.r: +- Valid for 90 days +- Automatically renewed when less than 30 days remain +- Issued by "Krebs Intermediate CA" +- Only work for `.r` and `.w` domains (enforced by name constraints) +- Use ECDSA P-256 keys by default + +## Troubleshooting + +### Account Does Not Exist Error + +If you see: `acme: error: 400 :: urn:ietf:params:acme:error:accountDoesNotExist` + +1. Stop the service: `sudo systemctl stop acme-myservice.r.timer acme-myservice.r.service` +2. Clean state: `sudo rm -rf /var/lib/acme/myservice.r /var/lib/acme/.lego/accounts/*/ca.r*` +3. Restart: `sudo systemctl start acme-myservice.r.service` + +### Certificate Expired + +If certificates show old dates after renewal: + +1. Stop services: `sudo systemctl stop acme-myservice.r.timer acme-myservice.r.service` +2. Clean all state: `sudo rm -rf /var/lib/acme/myservice.r /var/lib/acme/.lego/myservice.r` +3. Restart: `sudo systemctl start acme-myservice.r.service && sudo systemctl start acme-myservice.r.timer` + +### Checking Certificate Status + +```bash +# List all ACME timers +systemctl list-timers "*acme*" --all + +# Check for failed services +systemctl list-units --failed "*acme*" + +# Verify certificate +echo | openssl s_client -connect myservice.r:443 -servername myservice.r 2>/dev/null | openssl x509 -noout -dates -issuer +``` @@ -7,19 +7,6 @@ This is the wiki for retiolum. - [[Retiolum]] - [graph.r](http://graph.r): Tinc network visualization - [social.krebsco.de](http://wiki.r/social.krebsco.de.md) -- [stable-diffusion](http://stable-confusion.r): Images-as-Service - - Webdav for all images at: dav://stable-confusion.r/output, mountable with `gio mount dav://stable-confusion.r/output/` (requires `services.gvfs.enable = true;`) - - [Gallery](http://stable-confusion.r/output/latest-gallery.html) - - [Directory listing](http://stable-confusion.r/output/) -- [Vicuna](http://vicuna.r): Text-as-a-Service (gpt alternative) - - vicuna-13b model, https://vicuna.lmsys.org/ - - api example: - ```console - $ curl http://vicuna.r/v1/chat/completions -H "Content-Type: application/json" -d '{ - "model": "vicuna-13b", - "messages": [{"role": "user", "content": "Hello!"}] - }' - ``` - [wallpaper](http://prism.r/realwallpaper-krebs.png) - [wallpaper-timelapse](http://prism.r/realwallpaper-video.mp4) - [wallpaper no entities](http://prism.r/realwallpaper.png) @@ -28,18 +15,7 @@ This is the wiki for retiolum. - <http://cgit.hotdog.r/wiki> - <http://cgit.ni.r/wiki> - <https://code.kmein.de/kfm/wiki> (ask kmein for permissions) -- [tts.r - text-to-speech, usable as API](http://tts.r) -```bash -# example usage for your bashrc/zshrc -say() { - _say() { curl -sSG http://tts.r/api/tts --data-urlencode text@- | mpv --keep-open=no --no-resume-playback -; } - if [[ "$#" -eq 0 ]]; then - _say - else - echo "$@" | _say - fi -} -``` + - [ACME](./ACME) - [upterm](https://upterm.thalheim.io/) - [jitsi](https://jitsi.lassul.us/) @@ -47,10 +23,10 @@ say() { - [mumble](https://mumble.lassul.us/) also `nix-shell -p mumble --run "mumble mumble://$USER@lassul.us/nixos"` ## Stockholm repositories -- [gum](http://cgit.gum.r/stockholm) +- [makefu](https://cgit.euer.krebsco.de/makefu/stockholm) - [mic92](https://git.thalheim.io/Mic92/stockholm/) -- [ni](http://cgit.ni.r/stockholm) - [prism](http://cgit.prism.r/stockholm) +- [tv](http://cgit.ni.r/stockholm) ## Git services |