From ff7510107dada7a14904621d210c2e38afae90b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Thu, 30 Oct 2025 07:49:50 +0000 Subject: [PATCH] golinks --- shared/certs/go.cnf | 16 +++++++++ shared/certs/go.key | 28 +++++++++++++++ shared/certs/go.pem | 25 +++++++++++++ shared/certs/motiejus-golinks-ca.cnf | 17 +++++++++ shared/certs/motiejus-golinks-ca.key | 52 ++++++++++++++++++++++++++++ shared/certs/motiejus-golinks-ca.pem | 31 +++++++++++++++++ shared/home/default.nix | 4 +++ shared/work/default.nix | 20 +++++++++++ 8 files changed, 193 insertions(+) create mode 100644 shared/certs/go.cnf create mode 100644 shared/certs/go.key create mode 100644 shared/certs/go.pem create mode 100644 shared/certs/motiejus-golinks-ca.cnf create mode 100644 shared/certs/motiejus-golinks-ca.key create mode 100644 shared/certs/motiejus-golinks-ca.pem diff --git a/shared/certs/go.cnf b/shared/certs/go.cnf new file mode 100644 index 0000000..8c9f650 --- /dev/null +++ b/shared/certs/go.cnf @@ -0,0 +1,16 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +CN = go. + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = go. diff --git a/shared/certs/go.key b/shared/certs/go.key new file mode 100644 index 0000000..dd4c6dc --- /dev/null +++ b/shared/certs/go.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+5uMkg44TIR1A +I5VQUTZ1PRDjti81QSS4PffFxK/PFGFcS9QaipK3CrYHqWExRae/y2MCUSChYW5R +E2aWul+m7fkDan7MI39WfYivPnIqeCJ5s5qQkzeceKXQqIVUO6CS/yv5Ki66NbQr +qp4aBuMc7sVR9cGuNwfMwrizToHN75V1GlWSQMX+bD3R3xvUknsnJTZxbvDSQmve +QnrpPrlvDjLdih4Xfdqy/2OtFEsQdCjDRxtygrMnsd1Ls6fW5kXmlosUVL0KDRD7 +xEOK+M++I19L2Ih+Y9bD0SKbkb3Ysh0ZYBK0v0bEviC8CZUjnQ+AAhuyrWMpIf3u +HKx0EGQNAgMBAAECggEABFH/BPtch+6ha1YC0eOsoFWb9WimQ9sauiKzjKG+utMt +auR6bd6sowDWjXDWDBfqoSAODbuJSgMFofHBn2/4rIiehecZ7IPHJM1y053Nq/a2 +Ylu1XUfqTnEP4PDXZ53GggfNVnZlF/4RevAsY3lmwr0H8Sq8fIqungHazTqzHFZ2 +0ohw1s761DqM9RVakasSaghkvUnOc9pqglcXtFDYCl+vpFOe1NTe+DqASI0KXobG +hL4FjxFwgBlq1tJlDg78ADFggH0EenEj3thgnpZ+R4NoTE+KJLoL69cEVaINszS1 +U4NeNMlI8EtfVF+WGg5AbbnsYACvOto9fgncd8x2TwKBgQD2LZAUJNkGl45F5qls +9xO1shsM9TqC20K/lBowk+kSTKBAasYvtVgBci7hyVZ/SQnB6BxIYo1HQuRcDKVO +tLQl9Fwkvpaj73dK98PRINMz8itpEOBVeG8Fb9UtDQtJ4CMwJdxH54YcDDHfT4oh +VQp/alujLg5AeETOnA1fSQsOUwKBgQDGhL17wM3ZBrgFYzOr/BRKFcRTXiKUvo0d +4E4VN0sQAtyGmPsForlmzL5aaXQM7N/Zzp4odPX8J6wPJIy+fR9UW70kZRJ6bjhI +kGabCj8BFc+ML27fSxR+YgEqLMsXfzR5yU73ZKCEhMVHmFqMWYPWMblTGsbLUXoU +YAInVxq4HwKBgHP74X7sIWgOrZRXaYmSGzImuMHxI+EVJqyWPYSXm17oxTO0Wq2N +leoQfvAX6O3NXpCCKBkefYuOg4Ku3o9nadzb9THGrbiNETo744E7Iua9eSBmOBts +w3nfR6OTGrdyp4F+xPsHpNLAGBsrIVw08d44IPaPs11CjMB/G3nCMzhLAoGAbRDk +oacN8Rx14c/cxbKa2xEWac8gJKSEF1Py0kksnkFUM0a9Mx1xyv7V3gptzeQeICYa +UpPfyYdqSm+EO+u2WLyGMAavnkAMACIFnUyFzOzUuGoe+eLgAYeKqEcv1Vr306k8 +D0NjxSrE0E7uAIn1mqp67SOa8H11GticlkyOy3UCgYEA8RNIcJUdVyGuVTYF89hC +zGGvlwS1dA7GrwW4sFMIdLMiZe7y+PSNwIHyXc9nSkWXcnB/Ca5RI4qdUiwf9uWq +hVusJCIhbLK+ga+vMbIfbz46wegRSxXJWP5dTJ8ePwpVpxcToCDD4eEiZ7cYZVS0 +XwX6CirLq4W/GDPS7Pm6KK0= +-----END PRIVATE KEY----- diff --git a/shared/certs/go.pem b/shared/certs/go.pem new file mode 100644 index 0000000..49e0c98 --- /dev/null +++ b/shared/certs/go.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEOTCCAiGgAwIBAgIUH5ZOdVYVjcSYRIegEStwDenAEsUwDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTbW90aWVqdXMtZ29saW5rcyBDQTAeFw0yNTEwMzAwNzQ2 +MDNaFw0zNTEwMjgwNzQ2MDNaMA4xDDAKBgNVBAMMA2dvLjCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAL7m4ySDjhMhHUAjlVBRNnU9EOO2LzVBJLg998XE +r88UYVxL1BqKkrcKtgepYTFFp7/LYwJRIKFhblETZpa6X6bt+QNqfswjf1Z9iK8+ +cip4InmzmpCTN5x4pdCohVQ7oJL/K/kqLro1tCuqnhoG4xzuxVH1wa43B8zCuLNO +gc3vlXUaVZJAxf5sPdHfG9SSeyclNnFu8NJCa95Ceuk+uW8OMt2KHhd92rL/Y60U +SxB0KMNHG3KCsyex3Uuzp9bmReaWixRUvQoNEPvEQ4r4z74jX0vYiH5j1sPRIpuR +vdiyHRlgErS/RsS+ILwJlSOdD4ACG7KtYykh/e4crHQQZA0CAwEAAaN/MH0wCQYD +VR0TBAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0R +BAcwBYIDZ28uMB0GA1UdDgQWBBQuK4AX3fXps3iX4b12J2uRdIzROTAfBgNVHSME +GDAWgBSNCoj72IG1nuTNdT09j4HZ1YY9ADANBgkqhkiG9w0BAQsFAAOCAgEAbLA1 ++nkpvfW30TrufgG1HxR0vJatCthbSkfkbdmCupYyRIveCnQzTIYH2CtSRlyPiq6s +gtgxizv1y8rsthqbIJ1Cx/lEmiv5kVQtOgAAyv6sdHjtfnaGtP2SQAZvb79dGXJB +swHOeHTCkS+qgRTYTs/u0ITWamclD+c8mb2m8gHlnSy6g7sdNGessHYviZ/7PfFP +/ENqrmj+5T+c06+xwwhGgn2gqO9tMFt6tfZrN2f0Y/w+ynO6/yBzk3VZFRjMFb7s +UO01SwDcNOHzno6jaSND7XKOUwzOIs5hyZHyG74c8ZAI/z5wSD9wFISJ1nfo2tAO +uGHnpk6dGLHDyM+Rf5Opm9MZJbJ1RlSKFiQmS5iMZ1zqZVBH820Psvi8zdE74VoX +oBlxWdnIPdMc1q0bQrV5Ktovy9cyH7mMlZiJuu73NwEMnDrFqCGXzQQDE9GLaUhd +VLSBP3dxYucQCE/wDWTylV8AKaqytddwZ3rJl63b+p34OpVKqGtaoDxg7YwVHQAO +3ClOg9yBsoUfoA1+Z9uwtz8xPriAY5NFpC7FdvJMa3m7ty7HM3dkFw1O9LO/+r7s +sJI0Jmx2sBOjMG+XUe6fTYa+tfDNWbJSRbMro4AyHJ3OTy5l4gfzt+7FM6hfCtXa +99Z0VD6R1Dbl6mhD0KzR7YmAGbYpYtbIw6mG498= +-----END CERTIFICATE----- diff --git a/shared/certs/motiejus-golinks-ca.cnf b/shared/certs/motiejus-golinks-ca.cnf new file mode 100644 index 0000000..fdc2bde --- /dev/null +++ b/shared/certs/motiejus-golinks-ca.cnf @@ -0,0 +1,17 @@ +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +prompt = no + +[req_distinguished_name] +CN = motiejus-golinks CA + +[v3_ca] +basicConstraints = critical,CA:TRUE +keyUsage = critical,keyCertSign,cRLSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +nameConstraints = critical,@name_constraints + +[name_constraints] +permitted;DNS.1 = go. diff --git a/shared/certs/motiejus-golinks-ca.key b/shared/certs/motiejus-golinks-ca.key new file mode 100644 index 0000000..4aad5da --- /dev/null +++ b/shared/certs/motiejus-golinks-ca.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDkwc0c9yd55KQV +a9ZUof+08lRkv5Bk5dO3lmkWt7PmGvieRILhpNhudVRokLEi5Z2eunShV6ctjh+h +K11od5EQkwsJ5RYfdsldFwN+mAmqvkh+Vu26t/Z/lSM7aINjb3Npcy/NonkpTcf6 +VLcAlZFdGqVBJEJyTUv1vi/JWk7jRSUh37Q22XanB8vY1kyl+vCcw66InCr0B4+r +AORbiUqdsiPTSKfwHWMobar7LAqX3WQfGPb0qjmiVuDmkL17B9kjsd4s42/n2XID +BwSz1My8cAHMq+wNHOTbAd8e0W8b4Vh9Ffy41vcnU+idv7CNyDynGuJEO0dQTCSJ +XVkNKL9lCVIel+6H8sEp3kOKfqyKS7gGK/n4E9lj5O0n8iA4nkqB1ZbrQ0KOLQvH +P6z9nDbU+VJl06p5QZStK66NYwXfXZ7j4Evw2OeW4zly5AoCBz1SbXGOxDF8RTJY +LnBH9gwUGq3Bz7MdW1VGjji4jN1fEDJaEjovOzD6KKfRdp4agx9igHSi/aZRJF1M +XzH+CDVQV0XjpadV9O1v34Rkl/z04GToEgK1gXYMbYZXPvlibo1ho6nPvPl5lN18 +xZJFhonRHjzMh8jHTBX7VOItrmJjDzX8npMk/T3dmzJ2pMO3V3CDcnYdDXS+9+X7 +i4DBaJ8MZpbB5hDHuFiXom+iGE/9OQIDAQABAoICAA7UGj/xrIMsBU/nKuBXFPyN +hdd3DHzh4gjBTQQeOeDlaC7YOZS3axkz7VoO4RCmSkKfCw7nX+ylzRqVNUufjo2A +vqMwULAO8uwgIQecgunoxkm8SFJFeQrZp8xC0NuJ/rT79MITcV+yTU+GnMtCpsbe +go5Xs5/1r0IZhz755em5Enhg6C1zCMw4hugCMjtDKkQ7Mg3kc6tYbyFyYBsn6eiR +gt2AFPTNbt9QxpfcCb7A6OvUIjQHcc96ar8/bCz0vAhikAigYKFqmMel9ZHTrkbb +yt4R2e4arKIeu7AjetyXjbUkDvsLYj+QIqDRK3hxXa8mYLr0DcIggXDPFoXyGX/r +ixfVTDUGgAxbZq3YUPKUjLOwDFZkk1Hxcee7mNPgCwFLFus7bjOTTW0wAah4hzFQ +pz/yjE5rAoQh+89mb6jUWG5KciSRA5ZbIQynYR2nk35VdV2U0k6xDLH4hv2+FP12 +22cmT44ns11VfYiCXktE27NxGn4iP/dDJVz8Gds7AXCNA5gQc0SYOUSdrmyHXzx0 +RaO5AKLhizH5JBHTwvFR3DBdg+ZiROjCbJMibLUy8uAmBHZbORqbaeOWMbFvZC3x +F3XFEMBQivxCTpJotTyi9JEH8yz3PKM1FXzxlfFsXkSclEtu/3OaWEdCruQE0ksj +wKiVKjf57/HOZ2ol/b6VAoIBAQD2PiVSaESy8w0ABPuBmCUP+g1I/7JFubSsKV0g +fALe5upb8eXRDym5BbT4EA+gMvP7RfxXCZKeTNRnG001dRx1dNOc6Nhg3Rjb6gPx +paIYyMeJNzRB+xJgLu9ZXboLslA/cEnZRNcR1DpGrKOPmzDhSkUmFFjBNQoIPiMq +nJEz0MBXWJg8dESS5zzcJgZaDhj3gIhCiX1+843ZZ+71YAPBrWaoWUEHCw7haYQc +uO6ZHdik2B+WJVk+G09YI4cyOpcZxBlrHVUwo1UJvDmJ3iiAWikZKXKXD0s5CGyS +JEVDtxtQ9CGTRXN+P4iiTGzNZLm5AMwn9qwwe/Stx4nSsYztAoIBAQDt0khW5Fq8 ++drqoCpDnI80Z0nvvHbkbBfY8gBE/Z9gVf9ywx3ruCFHLM3fnQV5gxUU2mACDyn1 +nXAJK3HRRgXXK5tlbEjVUHooq4JDtkBIiQGbWK1TK9J4NJh4NsT9H2pZZxPq/8ZP +Mo6dowLPzdrlA7FicT0wt4bn3b++jhK2DjJpN7JZtXlDTAnw3k7MbtiN6NIEBQKl +qtnLDb4u+QOxJfqVYTWOc6qIs+xl26j1agutBj4VS5orMNCjD/JQS5dIpYqhd3ar +VLZV0xFlqfnbc74obyPzFDJBVz9xlaNCuwzQ3swUhI6KudyBCSRXHXXxSPzRl9ER +6E/03olixrP9AoIBAH0p2Y6psUHEiTcZUT3uN+iHEXmpftQyMMPRwqRgZJUoirdx +nX9GVc7WN8ZfY5HqVFnEmR8knoIYS16dYgFqJa0OVQHM2S9jMt+Vc6vApUQzyjjU +9psTI6QAN2kVWxvW5zNXwDHP7AID/hsuZXT5TT82oS9Z6ENM0myeKQHf026jDSFY +xwjzkGebYjQEn/XmdIpZquknOcLtyYxYZ/4Rb9dibGvl8kfCNy4clCqFVcI+iYBA +2s1W7qXC+/GxHWdKoMNYChOINWUjoHXyVszdP3j+WyWPC8/81h+HSKiABzUEPb5I +WUiiZLInWSwl7Kf6Kuz+msc1exCp8RTj+ApAdYECggEBANcmCs2ZLsGRpEvoc/PQ +ufkljEz3CfQiGfzpCfdgHwQPKNcQz4vFe02hqeonaqGARd0kpgCW6VXLhWS2SfSS +TYxYZe/+Y3GfqbQLXQCW61bzo2F/euYoWfLnWhw/KDz6Y8LXrrxFgol5am4P3+ZR +DDts+NffLAVbsw8mnGXur9zFwTNQ8OeZdke8ja274Duv9/eB7iU2xytLAldhanGi +U4W6nxTu6X2jBF9BrpaDfznuIvv4DshDKgjy030BWyzrBcTyBhWHNvNO4tmH5lA7 +0s+GyTxZN4Ob/M8B+GJwhk9DWxfGx4e0WCQGewa9V4P8IgwUBKw0lS6HJXaYsF+M +9Z0CggEBAIDc+795nmVLTQYKzm7hjYV7NmwyY9b3Gr87IBE7xS3P/tXvGkYwA7mW +ku/HCco3ctK4lo/VxwaHDBDskFV/4l9FbEA8SJ7IAvbewqaNplz1Udm/QNl3wm1f +ASuVfdbr9m/j97q+0w6A8pI93YBBGSg4YAXqLy7y5V2Fn6JvwzygCM7MtS8ZxVCu +v0cArTHw0WxZxPcErVojgVWyZJ9B60/kL9ApCEfl1LXHg5dfUXTp4AwtNL8uD7CI +EixfOaktYMWj2Atdu9Sa+gbFsY7XrTOUbgAWDQ5b4tm6Hl6mMIi8eKQCUsdncmeT +MftO6qbHGuL3zSqsiI/PqhvJiPTQYCY= +-----END PRIVATE KEY----- diff --git a/shared/certs/motiejus-golinks-ca.pem b/shared/certs/motiejus-golinks-ca.pem new file mode 100644 index 0000000..c469223 --- /dev/null +++ b/shared/certs/motiejus-golinks-ca.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFRDCCAyygAwIBAgIUHPaf6+jl7ZaDaLZx6ssIAw+8AtAwDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTbW90aWVqdXMtZ29saW5rcyBDQTAeFw0yNTEwMzAwNzQ1 +MzhaFw0zNTEwMjgwNzQ1MzhaMB4xHDAaBgNVBAMME21vdGllanVzLWdvbGlua3Mg +Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDkwc0c9yd55KQVa9ZU +of+08lRkv5Bk5dO3lmkWt7PmGvieRILhpNhudVRokLEi5Z2eunShV6ctjh+hK11o +d5EQkwsJ5RYfdsldFwN+mAmqvkh+Vu26t/Z/lSM7aINjb3Npcy/NonkpTcf6VLcA +lZFdGqVBJEJyTUv1vi/JWk7jRSUh37Q22XanB8vY1kyl+vCcw66InCr0B4+rAORb +iUqdsiPTSKfwHWMobar7LAqX3WQfGPb0qjmiVuDmkL17B9kjsd4s42/n2XIDBwSz +1My8cAHMq+wNHOTbAd8e0W8b4Vh9Ffy41vcnU+idv7CNyDynGuJEO0dQTCSJXVkN +KL9lCVIel+6H8sEp3kOKfqyKS7gGK/n4E9lj5O0n8iA4nkqB1ZbrQ0KOLQvHP6z9 +nDbU+VJl06p5QZStK66NYwXfXZ7j4Evw2OeW4zly5AoCBz1SbXGOxDF8RTJYLnBH +9gwUGq3Bz7MdW1VGjji4jN1fEDJaEjovOzD6KKfRdp4agx9igHSi/aZRJF1MXzH+ +CDVQV0XjpadV9O1v34Rkl/z04GToEgK1gXYMbYZXPvlibo1ho6nPvPl5lN18xZJF +honRHjzMh8jHTBX7VOItrmJjDzX8npMk/T3dmzJ2pMO3V3CDcnYdDXS+9+X7i4DB +aJ8MZpbB5hDHuFiXom+iGE/9OQIDAQABo3oweDAPBgNVHRMBAf8EBTADAQH/MA4G +A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUjQqI+9iBtZ7kzXU9PY+B2dWGPQAwHwYD +VR0jBBgwFoAUjQqI+9iBtZ7kzXU9PY+B2dWGPQAwFQYDVR0eAQH/BAswCaAHMAWC +A2dvLjANBgkqhkiG9w0BAQsFAAOCAgEAqxskNsIvZCe2FcSs+gy9UW2u0Y4/Rh2B +SWm5ekTLUTTWDW58RBDbH2PAQRceCMXakQgAj83SX7ENII5m+XOR2een5jx/6jqR +p+5FisfQUok7oaPUcnwQeXZ8xoNCxHbUtLjbWOxxcpH6PheJZX0Xz31VX3reBbUD +OZzaPr5VJH1oIJmuAoLNNW0InJnCrKRTGu+XFmE0kRlLlAfQGvQDkOoP52+RZIeA +aItt6+QUbwKQeaM0i353ymvJkDpcWSmxtoxOK/3e04VXVZQswwQQ1/34pGYtafKp +uf4zLQGD/X4zIGx62IwbQrG/2xq+P4iAq/dej4zqIrj+lkeg58ZiS0SOAHnCclHd +VtYMzoTQ2l9YQjORHHsP1xlQ5CQ4mqj8oUthZ5/+0TpoZ0lnOiQkUzbwkJw76TYw +qbYoBI040e+KtDXyPHFbkqTgVrGMuxToXWuvMik2ICxjE+G11cX2UW8MuePrIAFf +wBzGsyscbk5Bl6imX+Xgeb+uZYXwUd0Nx6XJlSfe7idqcGdSq+7SmbgUyml9IqAe +C9ypRbcaJv7HFi5VQlUBoiGbYo+6nx7dsqDK4JV6sAEWTH1chV00Lhwwp+AHhOcR +66U/ArEbKS439596cFNvnW4pm/les3DyE+4nSAgbbohT90n6RrTpsQsTISdcSEsA +fY8fzy365O8= +-----END CERTIFICATE----- diff --git a/shared/home/default.nix b/shared/home/default.nix index 5c6bb0b..404d030 100644 --- a/shared/home/default.nix +++ b/shared/home/default.nix @@ -93,6 +93,10 @@ in "layout.css.prefers-color-scheme.content-override" = 0; "signon.management.page.breach-alerts.enabled" = false; "signon.rememberSignons" = false; + + # go/ + "security.enterprise_roots.enabled" = true; + "browser.fixup.domainwhitelist.go" = true; }; extensions.packages = with pkgs.nur.repos.rycee.firefox-addons; [ bitwarden diff --git a/shared/work/default.nix b/shared/work/default.nix index fdcbb55..3520c07 100644 --- a/shared/work/default.nix +++ b/shared/work/default.nix @@ -5,6 +5,26 @@ wrapGo = true; }; + security.pki.certificateFiles = [ ../../shared/certs/motiejus-golinks-ca.pem ]; + + networking.hosts."127.0.0.1" = [ + "go" + "go." + ]; + + services.nginx = { + enable = true; + virtualHosts."go." = { + listenAddresses = [ "127.0.0.1" ]; + addSSL = true; + sslCertificate = "${../../shared/certs/go.pem}"; + sslCertificateKey = "${../../shared/certs/go.key}"; + locations."/".extraConfig = '' + return 301 https://golinks.io$request_uri; + ''; + }; + }; + environment.systemPackages = with pkgs; [ #swc turbo