diff --git a/nix/pkgs/vault-acme/default.nix b/nix/pkgs/vault-acme/default.nix index a72006ac66..2121493cc2 100644 --- a/nix/pkgs/vault-acme/default.nix +++ b/nix/pkgs/vault-acme/default.nix @@ -10,13 +10,13 @@ buildGoModule rec { pname = "vault-acme"; - version = "0.0.8"; + version = "0.0.8+lukegb-1"; src = fetchFromGitHub { - owner = "remilapeyre"; + owner = "lukegb"; repo = pname; - rev = "v${version}"; - sha256 = "sha256:0vbi5i0m5rifh4ayd4y949kh94zgirviv6xiy2a11a4frrn24fyf"; + rev = "4f397cc3089cc7b0ea23e76e907ad4733b66c13f"; + sha256 = "sha256:0f3d89j51gcrvpxmlr3psvv9mm6y3rw4hwk3rs4rb3a6rj5yg2iq"; }; vendorSha256 = "sha256:07bqapnrf1fdyaxkna14s5calgj71sk2qysigd32hxl673zd06ic"; diff --git a/ops/nixos/lib/vault-agent-acme.nix b/ops/nixos/lib/vault-agent-acme.nix index 3233859bbe..f02ebc7d6f 100644 --- a/ops/nixos/lib/vault-agent-acme.nix +++ b/ops/nixos/lib/vault-agent-acme.nix @@ -7,11 +7,12 @@ let inherit (lib) mkOption types mkBefore optionalAttrs; # Work out where we're being asked to write things, and which groups, so we can correctly get permissions. - certPath = c: pathFor c.certificate c "cert.pem"; - keyPath = c: pathFor c.certificate c "privkey.pem"; + fullchainPath = c: pathFor c.fullchain c "fullchain.pem"; + chainPath = c: pathFor c.chain c "chain.pem"; + keyPath = c: pathFor c.key c "privkey.pem"; pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path; - acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.certificate.group c.key.group ]) config.my.vault.acmeCertificates)); + acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates)); acmeCertificatesTemplate = builtins.concatMap (c: let secretStanza = '' @@ -19,16 +20,17 @@ let ''; in [ { - # Certificate + # Certificate full chain contents = '' {{with ${secretStanza}}} {{ .Data.cert }}{{ end }} ''; - destination = certPath c; - perms = c.certificate.mode; + destination = fullchainPath c; + perms = c.fullchain.mode; command = pkgs.writeShellScript "post-${c.name}-crt" '' - ${lib.optionalString (c.certificate.group != "") '' - chgrp "${c.certificate.group}" "${certPath c}" + sleep 1s # Cheap hack... + ${lib.optionalString (c.fullchain.group != "") '' + chgrp "${c.fullchain.group}" "${fullchainPath c}" ''} ${lib.concatMapStringsSep "\n" (x: '' /run/current-system/sw/bin/systemctl reload-or-restart ${x} @@ -38,6 +40,19 @@ let '') c.restartUnits} ${lib.optionalString (c.command != "") c.command} ''; + } { + # Certificate chain + contents = '' + {{with ${secretStanza}}} + {{ .Data.issuer_cert }}{{ end }} + ''; + destination = chainPath c; + perms = c.chain.mode; + command = pkgs.writeShellScript "post-${c.name}-chain" '' + ${lib.optionalString (c.chain.group != "") '' + chgrp "${c.chain.group}" "${chainPath c}" + ''} + ''; } { # Key contents = '' @@ -56,15 +71,18 @@ let acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c: let - certDir = dirOf (certPath c); - keyDir = dirOf (keyPath c); + fullchainDir = dirOf (fullchainPath c); + chainDir = dirOf (chainPath c); + keyDir = dirOf (keyPath c); - dirGroup = if certDir == keyDir && c.certificate.makeDir && c.key.makeDir then if c.certificate.group == c.key.group then c.certificate.group else "-" else null; + dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null; - certDirGroup = if isNull dirGroup then c.certificate.group else dirGroup; - keyDirGroup = if isNull dirGroup then c.certificate.group else dirGroup; - in lib.optional c.certificate.makeDir "d ${certDir} 0750 vault-agent ${certDirGroup} - -" - ++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -" + fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup; + chainDirGroup = if isNull dirGroup then c.chain.group else dirGroup; + keyDirGroup = if isNull dirGroup then c.key.group else dirGroup; + in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -" + ++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -" + ++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -" ) config.my.vault.acmeCertificates); allRestartableUnits = lib.unique (builtins.concatMap (c: c.reloadOrRestartUnits ++ c.restartUnits) config.my.vault.acmeCertificates); @@ -102,7 +120,7 @@ in in { role = mkOption { type = str; - default = "letsencrypt-prod-cloudflare"; + default = "letsencrypt-cloudflare"; description = "Which role to use for certificate issuance."; }; name = mkOption { @@ -131,8 +149,12 @@ in description = "List of systemd units to restart after obtaining a new certificate."; }; - certificate = mkOption { - type = fileType "certificate" "0644"; + fullchain = mkOption { + type = fileType "certificate's full chain" "0644"; + default = {}; + }; + chain = mkOption { + type = fileType "certificate chain only" "0644"; default = {}; }; key = mkOption {