# generate intermediate certificate with generate-krebs-intermediate-ca
{ config, lib, pkgs, ... }: let
  domain = "ca.r";
in {
  security.acme = {
    acceptTerms = true; # kinda pointless since we never use upstream
    email = "spam@krebsco.de";
    certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts.${domain} = {
      addSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "https://localhost:1443";
      };
      locations."= /ca.crt".alias = ../6assets/krebsAcmeCA.crt;
    };
  };
  krebs.secret.files.krebsAcme = {
    path = "/var/lib/step-ca/intermediate_ca.key";
    owner.name = "root";
    mode = "1444";
    source-path = builtins.toString <secrets> + "/acme_ca.key";
  };
  services.step-ca = {
    enable = true;
    intermediatePasswordFile = "/dev/null";
    address = "0.0.0.0";
    port = 1443;
    settings = {
      root = pkgs.writeText "root.crt" config.krebs.ssl.rootCA;
      crt = pkgs.writeText "intermediate.crt" config.krebs.ssl.intermediateCA;
      key = "/var/lib/step-ca/intermediate_ca.key";
      dnsNames = [ domain ];
      logger.format = "text";
      db = {
        type = "badger";
        dataSource = "/var/lib/step-ca/db";
      };
      authority = {
        provisioners = [{
          type = "ACME";
          name = "acme";
          forceCN = true;
        }];
        claims = {
          maxTLSCertDuration = "2160h";
          defaultTLSCertDuration = "2160h";
        };
        backdate = "1m0s";
      };
      tls = {
        cipherSuites = [
          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        ];
        minVersion = 1.2;
        maxVersion = 1.3;
        renegotiation = false;
      };
    };
  };
}