{ flake, pkgs, lib, config, ... }: { imports = [ flake.self.nixosModules.home-manager flake.self.nixosModules.core ./global.nix ]; systemd.tmpfiles.rules = [ "f /tmp/step-ca-intermediate-pw 1777 root root 10d password" ]; services.step-ca = let certificates = pkgs.stdenv.mkDerivation { name = "certificates"; src = ./step; installPhase = '' mkdir -p $out; cp -r certs $out/ cp -r secrets $out/ ''; }; in { enable = true; openFirewall = true; intermediatePasswordFile = "/tmp/step-ca-intermediate-pw"; port = 443; address = "0.0.0.0"; settings = (builtins.fromJSON (builtins.readFile ./step/config/ca.json)) // { root = "${certificates}/certs/root_ca.crt"; crt = "${certificates}/certs/intermediate_ca.crt"; key = "${certificates}/secrets/intermediate_ca_key"; db = { type = "badgerv2"; dataSource = "/var/lib/step-ca/db"; }; }; }; }