2022-03-06 22:26:49 +00:00
|
|
|
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
{ pkgs, config, depot, lib, ... }:
|
|
|
|
let
|
2022-03-07 00:52:03 +00:00
|
|
|
inherit (lib) mkOption types mkBefore optionalAttrs mkDefault;
|
|
|
|
|
|
|
|
acmeCertificates = lib.mapAttrsToList (name: cOrig: cOrig // { inherit name; }) config.my.vault.acmeCertificates;
|
2022-03-06 22:26:49 +00:00
|
|
|
|
|
|
|
# Work out where we're being asked to write things, and which groups, so we can correctly get permissions.
|
2022-03-06 23:01:51 +00:00
|
|
|
fullchainPath = c: pathFor c.fullchain c "fullchain.pem";
|
|
|
|
chainPath = c: pathFor c.chain c "chain.pem";
|
|
|
|
keyPath = c: pathFor c.key c "privkey.pem";
|
2022-03-06 22:26:49 +00:00
|
|
|
pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path;
|
|
|
|
|
2022-03-07 00:52:03 +00:00
|
|
|
isNginx = c: builtins.length c.nginxVirtualHosts > 0;
|
|
|
|
defaultGroup = c: if isNull c.group then if isNginx c then "nginx" else "acme" else c.group;
|
|
|
|
groupOrDefault = p: c: if isNull p then defaultGroup c else p;
|
|
|
|
|
|
|
|
reloadOrRestartUnits = c: (lib.optional (isNginx c) "nginx.service") ++ c.reloadOrRestartUnits;
|
|
|
|
|
|
|
|
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [
|
|
|
|
(groupOrDefault c.fullchain.group c)
|
|
|
|
(groupOrDefault c.chain.group c)
|
|
|
|
(groupOrDefault c.key.group c)
|
|
|
|
]) acmeCertificates));
|
2022-03-06 22:26:49 +00:00
|
|
|
|
|
|
|
acmeCertificatesTemplate = builtins.concatMap (c: let
|
|
|
|
secretStanza = ''
|
|
|
|
secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}"
|
|
|
|
'';
|
|
|
|
in [
|
|
|
|
{
|
2022-03-06 23:01:51 +00:00
|
|
|
# Certificate full chain
|
2022-03-06 22:26:49 +00:00
|
|
|
contents = ''
|
|
|
|
{{with ${secretStanza}}}
|
|
|
|
{{ .Data.cert }}{{ end }}
|
|
|
|
'';
|
2022-03-06 23:01:51 +00:00
|
|
|
destination = fullchainPath c;
|
|
|
|
perms = c.fullchain.mode;
|
2022-03-07 00:52:03 +00:00
|
|
|
command = let
|
|
|
|
grp = groupOrDefault c.fullchain.group c;
|
|
|
|
in pkgs.writeShellScript "post-${c.name}-crt" ''
|
2022-03-06 23:01:51 +00:00
|
|
|
sleep 1s # Cheap hack...
|
2022-03-07 00:52:03 +00:00
|
|
|
${lib.optionalString (grp != "") ''
|
|
|
|
chgrp "${grp}" "${fullchainPath c}"
|
2022-03-06 22:26:49 +00:00
|
|
|
''}
|
|
|
|
${lib.concatMapStringsSep "\n" (x: ''
|
|
|
|
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
|
2022-03-07 00:52:03 +00:00
|
|
|
'') (reloadOrRestartUnits c)}
|
2022-03-06 22:26:49 +00:00
|
|
|
${lib.concatMapStringsSep "\n" (x: ''
|
|
|
|
/run/current-system/sw/bin/systemctl restart ${x}
|
|
|
|
'') c.restartUnits}
|
|
|
|
${lib.optionalString (c.command != "") c.command}
|
|
|
|
'';
|
2022-03-06 23:01:51 +00:00
|
|
|
} {
|
|
|
|
# Certificate chain
|
|
|
|
contents = ''
|
|
|
|
{{with ${secretStanza}}}
|
|
|
|
{{ .Data.issuer_cert }}{{ end }}
|
|
|
|
'';
|
|
|
|
destination = chainPath c;
|
|
|
|
perms = c.chain.mode;
|
2022-03-07 00:52:03 +00:00
|
|
|
command = let
|
|
|
|
grp = groupOrDefault c.chain.group c;
|
|
|
|
in pkgs.writeShellScript "post-${c.name}-chain" ''
|
|
|
|
${lib.optionalString (grp != "") ''
|
|
|
|
chgrp "${grp}" "${chainPath c}"
|
2022-03-06 23:01:51 +00:00
|
|
|
''}
|
|
|
|
'';
|
2022-03-06 22:26:49 +00:00
|
|
|
} {
|
|
|
|
# Key
|
|
|
|
contents = ''
|
|
|
|
{{with ${secretStanza}}}
|
|
|
|
{{ .Data.private_key }}{{ end }}
|
|
|
|
'';
|
|
|
|
destination = keyPath c;
|
|
|
|
perms = c.key.mode;
|
2022-03-07 00:52:03 +00:00
|
|
|
command = let
|
|
|
|
grp = groupOrDefault c.key.group c;
|
|
|
|
in pkgs.writeShellScript "post-${c.name}-key" ''
|
|
|
|
${lib.optionalString (grp != "") ''
|
|
|
|
chgrp "${grp}" "${keyPath c}"
|
2022-03-06 22:26:49 +00:00
|
|
|
''}
|
|
|
|
'';
|
|
|
|
}
|
2022-03-07 00:52:03 +00:00
|
|
|
]) acmeCertificates;
|
2022-03-06 22:26:49 +00:00
|
|
|
|
|
|
|
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
|
|
|
|
let
|
2022-03-06 23:01:51 +00:00
|
|
|
fullchainDir = dirOf (fullchainPath c);
|
|
|
|
chainDir = dirOf (chainPath c);
|
|
|
|
keyDir = dirOf (keyPath c);
|
2022-03-06 22:26:49 +00:00
|
|
|
|
2022-03-07 00:52:03 +00:00
|
|
|
fullchainGroup = groupOrDefault c.fullchain.group c;
|
|
|
|
chainGroup = groupOrDefault c.chain.group c;
|
|
|
|
keyGroup = groupOrDefault c.key.group c;
|
|
|
|
|
|
|
|
dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if fullchainGroup == keyGroup && fullchainGroup == chainGroup then fullchainGroup else "-" else null;
|
2022-03-06 22:26:49 +00:00
|
|
|
|
2022-03-07 00:52:03 +00:00
|
|
|
fullchainDirGroup = if isNull dirGroup then fullchainGroup else dirGroup;
|
|
|
|
chainDirGroup = if isNull dirGroup then chainGroup else dirGroup;
|
|
|
|
keyDirGroup = if isNull dirGroup then keyGroup else dirGroup;
|
2022-03-06 23:01:51 +00:00
|
|
|
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
|
|
|
|
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
|
|
|
|
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
|
2022-03-07 00:52:03 +00:00
|
|
|
) acmeCertificates);
|
2022-03-06 22:26:49 +00:00
|
|
|
|
2022-03-07 00:52:03 +00:00
|
|
|
allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates);
|
2022-03-06 22:26:49 +00:00
|
|
|
in
|
|
|
|
{
|
|
|
|
options.my.vault.acmeCertificates = mkOption {
|
2022-03-07 00:52:03 +00:00
|
|
|
type = with types; attrsOf (submodule {
|
2022-03-06 22:26:49 +00:00
|
|
|
options = let
|
|
|
|
fileType = what: defaultMode: submodule {
|
|
|
|
options = {
|
|
|
|
path = mkOption {
|
|
|
|
type = nullOr path;
|
|
|
|
default = null;
|
|
|
|
description = "Path to put the ${what}.";
|
|
|
|
};
|
|
|
|
mode = mkOption {
|
|
|
|
type = str;
|
|
|
|
default = defaultMode;
|
|
|
|
description = "Mode to set for the ${what}.";
|
|
|
|
};
|
|
|
|
|
|
|
|
group = mkOption {
|
2022-03-07 00:52:03 +00:00
|
|
|
type = nullOr str;
|
|
|
|
default = null;
|
|
|
|
description = "Owner group to set for the ${what}. If null, taken from parent.";
|
2022-03-06 22:26:49 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
makeDir = mkOption {
|
|
|
|
type = bool;
|
|
|
|
default = true;
|
|
|
|
description = "If true, creates the parent directory.";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
in {
|
|
|
|
role = mkOption {
|
|
|
|
type = str;
|
2022-03-06 23:01:51 +00:00
|
|
|
default = "letsencrypt-cloudflare";
|
2022-03-06 22:26:49 +00:00
|
|
|
description = "Which role to use for certificate issuance.";
|
|
|
|
};
|
|
|
|
extraNames = mkOption {
|
|
|
|
type = listOf str;
|
|
|
|
default = [];
|
|
|
|
description = "Non-empty list of hostnames to include.";
|
|
|
|
};
|
|
|
|
|
|
|
|
command = mkOption {
|
|
|
|
type = lines;
|
|
|
|
default = "";
|
|
|
|
description = "Command to run after generating the certificate.";
|
|
|
|
};
|
|
|
|
reloadOrRestartUnits = mkOption {
|
|
|
|
type = listOf str;
|
|
|
|
default = [];
|
|
|
|
description = "List of systemd units to reload/restart after obtaining a new certificate.";
|
|
|
|
};
|
|
|
|
restartUnits = mkOption {
|
|
|
|
type = listOf str;
|
|
|
|
default = [];
|
|
|
|
description = "List of systemd units to restart after obtaining a new certificate.";
|
|
|
|
};
|
|
|
|
|
2022-03-07 00:52:03 +00:00
|
|
|
nginxVirtualHosts = mkOption {
|
|
|
|
type = listOf str;
|
|
|
|
default = [];
|
|
|
|
description = "List of nginx virtual hosts to apply SSL to.";
|
|
|
|
};
|
|
|
|
|
|
|
|
group = mkOption {
|
|
|
|
type = nullOr str;
|
|
|
|
default = null;
|
|
|
|
description = "Owner group to set for the generated files. Defaults to 'acme' unless nginxVirtualHosts is set, in which case it defaults to 'nginx'.";
|
|
|
|
};
|
|
|
|
|
2022-03-06 23:01:51 +00:00
|
|
|
fullchain = mkOption {
|
|
|
|
type = fileType "certificate's full chain" "0644";
|
|
|
|
default = {};
|
|
|
|
};
|
|
|
|
chain = mkOption {
|
|
|
|
type = fileType "certificate chain only" "0644";
|
2022-03-06 22:26:49 +00:00
|
|
|
default = {};
|
|
|
|
};
|
|
|
|
key = mkOption {
|
|
|
|
type = fileType "certificate's key" "0640";
|
|
|
|
default = {};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
});
|
2022-03-07 00:52:03 +00:00
|
|
|
default = {};
|
2022-03-06 22:26:49 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
config = {
|
|
|
|
my.vault.settings = {
|
|
|
|
template = mkBefore acmeCertificatesTemplate;
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd = optionalAttrs config.my.vault.enable {
|
|
|
|
services.vault-agent = {
|
|
|
|
serviceConfig = {
|
|
|
|
SupplementaryGroups = mkBefore acmeCertificatesGroups;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
tmpfiles.rules = acmeCertificatesTmpdirs;
|
|
|
|
};
|
|
|
|
|
2022-03-07 00:52:03 +00:00
|
|
|
services.nginx = optionalAttrs config.my.vault.enable {
|
|
|
|
virtualHosts = builtins.listToAttrs (builtins.concatMap (certData: let
|
|
|
|
fullchain = fullchainPath certData;
|
|
|
|
chain = chainPath certData;
|
|
|
|
key = keyPath certData;
|
|
|
|
in map (hostName: lib.nameValuePair hostName {
|
|
|
|
sslCertificate = mkDefault (fullchainPath certData);
|
|
|
|
sslCertificateKey = mkDefault (keyPath certData);
|
|
|
|
sslTrustedCertificate = mkDefault (chainPath certData);
|
|
|
|
}) certData.nginxVirtualHosts) acmeCertificates);
|
|
|
|
};
|
|
|
|
|
2022-03-06 22:26:49 +00:00
|
|
|
security.polkit.extraConfig = lib.mkAfter ''
|
|
|
|
// NixOS module: depot/lib/vault-agent-acme.nix
|
|
|
|
polkit.addRule(function(action, subject) {
|
|
|
|
if (action.id !== "org.freedesktop.systemd1.manage-units" ||
|
|
|
|
subject.user !== "vault-agent") {
|
|
|
|
return polkit.Result.NOT_HANDLED;
|
|
|
|
}
|
|
|
|
|
|
|
|
var verb = action.lookup("verb");
|
|
|
|
if (verb !== "restart" && verb !== "reload-or-restart") {
|
|
|
|
return polkit.Result.NOT_HANDLED;
|
|
|
|
}
|
|
|
|
|
|
|
|
var allowedUnits = ${builtins.toJSON allRestartableUnits};
|
|
|
|
var unit = action.lookup("unit");
|
|
|
|
for (var i = 0; i < allowedUnits.length; i++) {
|
|
|
|
if (allowedUnits[i] === unit) {
|
|
|
|
return polkit.Result.YES;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return polkit.Result.NOT_HANDLED;
|
|
|
|
});
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
}
|