kyra(hardening): step-ca init

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>

kyra/services/step-ca.nix

@@ -0,0 +1,28 @@
+{config, ...}: {
+  services = {
+    step-ca = {
+      enable = true;
+      address = "[::]";
+      port = 8443;
+      intermediatePasswordFile = config.sops.secrets."stepPass".path;
+
+      settings = {
+        dnsNames = [
+          "ca.hand7s.org"
+        ];
+
+        authority = {
+          provisioners = [
+            {
+              type = "ACME";
+              name = "cloudflare";
+              claims = {
+                enable_dns_01 = true;
+              };
+            }
+          ];
+        };
+      };
+    };
+  };
+}