blob: 2ffb062bbf3d56ca1244a02b54b126006f5137d9 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
{
config,
serverphone,
system,
lib,
...
}: {
# FIXME: Reactive this module, when serverphone is working again <2024-05-11>
config = lib.mkIf config.soispha.secrets.enable {
age.secrets = {
serverphoneCa = {
file = ./private_keys/ca.key;
mode = "700";
owner = "serverphone";
group = "serverphone";
};
serverphoneServer = {
file = ./private_keys/server.key;
mode = "700";
owner = "serverphone";
group = "serverphone";
};
};
};
services.serverphone = {
package = "${serverphone.packages.${system}.default}";
enable = true;
domain = "localhost";
configureDoas = true;
acceptedSshKeys = [
"AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME"
];
authorized = {
acceptedGpgKeys = [
{
source = ./keys/key_1;
trust = "ultimate";
}
{
source = ./keys/key_2;
trust = "ultimate";
}
];
};
caCertificate = "${./certificates/ca.crt}";
certificate = "${./certificates/server.crt}";
privateKey = config.age.secrets.serverphoneServer.path;
certificateRequest = {
acceptedUsers = [
"soispha $argon2id$v=19$m=19456,t=2,p=1$EvhPENIBqL5b1RO5waNMWA$pJ8vDrCNJKDlqwB5bVDLjHVPEXm9McQhtt9OXSD8Zkc"
];
caPrivateKey = config.age.secrets.serverphoneCa.path;
};
};
users.users.serverphone = {
group = "serverphone";
isSystemUser = true;
home = "/run/serverphone";
};
users.groups.serverphone = {
members = ["serverphone"];
};
};
}
|
