33 lines
1.0 KiB
Markdown
33 lines
1.0 KiB
Markdown
This service sets up a certificate authority (CA) that can issue certificates to
|
|
other machines in your clan. For this the `ca` role is used.
|
|
It additionally provides a `default` role, that can be applied to all machines
|
|
in your clan and will make sure they trust your CA.
|
|
|
|
## Example Usage
|
|
|
|
The following configuration would add a CA for the top level domain `.foo`. If
|
|
the machine `server` now hosts a webservice at `https://something.foo`, it will
|
|
get a certificate from `ca` which is valid inside your clan. The machine
|
|
`client` will trust this certificate if it makes a request to
|
|
`https://something.foo`.
|
|
|
|
This clan service can be combined with the `coredns` service for easy to deploy,
|
|
SSL secured clan-internal service hosting.
|
|
|
|
```nix
|
|
inventory = {
|
|
machines.ca = { };
|
|
machines.client = { };
|
|
machines.server = { };
|
|
|
|
instances."certificates" = {
|
|
module.name = "certificates";
|
|
module.input = "self";
|
|
|
|
roles.ca.machines.ca.settings.tlds = [ "foo" ];
|
|
roles.default.machines.client = { };
|
|
roles.default.machines.server = { };
|
|
};
|
|
};
|
|
```
|