Sets up a PKI certificate chain using step-ca
This service is experimental and will change in the future.
This service sets up a certificate authority (CA) that can issue certificates to
other machines in your clan. For this the ca role is used.
It additionally provides a default role, that can be applied to all machines
in your clan and will make sure they trust your CA.
The following configuration would add a CA for the top level domain .foo. If
the machine server now hosts a webservice at https://something.foo, it will
get a certificate from ca which is valid inside your clan. The machine client will trust this certificate if it makes a request to https://something.foo.
This clan service can be combined with the coredns service for easy to deploy,
SSL secured clan-internal service hosting.
inventory = {
machines.ca = { };
machines.client = { };
machines.server = { };
instances."certificates" = {
module.name = "certificates";
module.input = "self";
roles.ca.machines.ca.settings.tlds = [ "foo" ];
roles.default.machines.client = { };
roles.default.machines.server = { };
};
};The certificates service has the following roles:
ca roleEmail address for account creation and correspondence from the CA. It is recommended to use the same email for all certs to avoid account creation limits.
Type: string
Default:
"none@none.tld"Declared in: clanServices/certificates/default.nix
When the certificate should expire.
Type: null or string
Default:
"8760h""8760h"Declared in: clanServices/certificates/default.nix
Top level domain for this CA. Certificates will be issued and trusted for *.<tld>.
Defaults to [ config.clan.core.settings.tld ]
Type: list of string
Default:
[ ]Declared in: clanServices/certificates/default.nix
default roleEmail address for account creation and correspondence from the CA. It is recommended to use the same email for all certs to avoid account creation limits.
Type: string
Default:
"none@none.tld"Declared in: clanServices/certificates/default.nix