From 4b768f6a11e8a70ae7473b42458de5d5ee5f55b5 Mon Sep 17 00:00:00 2001
From: s0me1newithhand7s <git+me@hand7s.org>
Date: Sun, 3 May 2026 15:56:54 +0300
Subject: [PATCH] kyra(hardening): step-ca init

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
---
 kyra/services/step-ca.nix | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 kyra/services/step-ca.nix

diff --git a/kyra/services/step-ca.nix b/kyra/services/step-ca.nix
new file mode 100644
index 0000000..8d5c7e2
--- /dev/null
+++ b/kyra/services/step-ca.nix
@@ -0,0 +1,28 @@
+{config, ...}: {
+  services = {
+    step-ca = {
+      enable = true;
+      address = "[::]";
+      port = 8443;
+      intermediatePasswordFile = config.sops.secrets."stepPass".path;
+
+      settings = {
+        dnsNames = [
+          "ca.hand7s.org"
+        ];
+
+        authority = {
+          provisioners = [
+            {
+              type = "ACME";
+              name = "cloudflare";
+              claims = {
+                enable_dns_01 = true;
+              };
+            }
+          ];
+        };
+      };
+    };
+  };
+}