vault-agent-acme: tidy up

This commit is contained in:
Luke Granger-Brown 2022-03-06 23:01:51 +00:00
parent 8be4fe603e
commit 0c7f785107
2 changed files with 44 additions and 22 deletions

View file

@ -10,13 +10,13 @@
buildGoModule rec { buildGoModule rec {
pname = "vault-acme"; pname = "vault-acme";
version = "0.0.8"; version = "0.0.8+lukegb-1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "remilapeyre"; owner = "lukegb";
repo = pname; repo = pname;
rev = "v${version}"; rev = "4f397cc3089cc7b0ea23e76e907ad4733b66c13f";
sha256 = "sha256:0vbi5i0m5rifh4ayd4y949kh94zgirviv6xiy2a11a4frrn24fyf"; sha256 = "sha256:0f3d89j51gcrvpxmlr3psvv9mm6y3rw4hwk3rs4rb3a6rj5yg2iq";
}; };
vendorSha256 = "sha256:07bqapnrf1fdyaxkna14s5calgj71sk2qysigd32hxl673zd06ic"; vendorSha256 = "sha256:07bqapnrf1fdyaxkna14s5calgj71sk2qysigd32hxl673zd06ic";

View file

@ -7,11 +7,12 @@ let
inherit (lib) mkOption types mkBefore optionalAttrs; inherit (lib) mkOption types mkBefore optionalAttrs;
# Work out where we're being asked to write things, and which groups, so we can correctly get permissions. # Work out where we're being asked to write things, and which groups, so we can correctly get permissions.
certPath = c: pathFor c.certificate c "cert.pem"; fullchainPath = c: pathFor c.fullchain c "fullchain.pem";
keyPath = c: pathFor c.certificate c "privkey.pem"; chainPath = c: pathFor c.chain c "chain.pem";
keyPath = c: pathFor c.key c "privkey.pem";
pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path; pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path;
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.certificate.group c.key.group ]) config.my.vault.acmeCertificates)); acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates));
acmeCertificatesTemplate = builtins.concatMap (c: let acmeCertificatesTemplate = builtins.concatMap (c: let
secretStanza = '' secretStanza = ''
@ -19,16 +20,17 @@ let
''; '';
in [ in [
{ {
# Certificate # Certificate full chain
contents = '' contents = ''
{{with ${secretStanza}}} {{with ${secretStanza}}}
{{ .Data.cert }}{{ end }} {{ .Data.cert }}{{ end }}
''; '';
destination = certPath c; destination = fullchainPath c;
perms = c.certificate.mode; perms = c.fullchain.mode;
command = pkgs.writeShellScript "post-${c.name}-crt" '' command = pkgs.writeShellScript "post-${c.name}-crt" ''
${lib.optionalString (c.certificate.group != "") '' sleep 1s # Cheap hack...
chgrp "${c.certificate.group}" "${certPath c}" ${lib.optionalString (c.fullchain.group != "") ''
chgrp "${c.fullchain.group}" "${fullchainPath c}"
''} ''}
${lib.concatMapStringsSep "\n" (x: '' ${lib.concatMapStringsSep "\n" (x: ''
/run/current-system/sw/bin/systemctl reload-or-restart ${x} /run/current-system/sw/bin/systemctl reload-or-restart ${x}
@ -38,6 +40,19 @@ let
'') c.restartUnits} '') c.restartUnits}
${lib.optionalString (c.command != "") c.command} ${lib.optionalString (c.command != "") c.command}
''; '';
} {
# Certificate chain
contents = ''
{{with ${secretStanza}}}
{{ .Data.issuer_cert }}{{ end }}
'';
destination = chainPath c;
perms = c.chain.mode;
command = pkgs.writeShellScript "post-${c.name}-chain" ''
${lib.optionalString (c.chain.group != "") ''
chgrp "${c.chain.group}" "${chainPath c}"
''}
'';
} { } {
# Key # Key
contents = '' contents = ''
@ -56,14 +71,17 @@ let
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c: acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
let let
certDir = dirOf (certPath c); fullchainDir = dirOf (fullchainPath c);
chainDir = dirOf (chainPath c);
keyDir = dirOf (keyPath c); keyDir = dirOf (keyPath c);
dirGroup = if certDir == keyDir && c.certificate.makeDir && c.key.makeDir then if c.certificate.group == c.key.group then c.certificate.group else "-" else null; dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null;
certDirGroup = if isNull dirGroup then c.certificate.group else dirGroup; fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup;
keyDirGroup = if isNull dirGroup then c.certificate.group else dirGroup; chainDirGroup = if isNull dirGroup then c.chain.group else dirGroup;
in lib.optional c.certificate.makeDir "d ${certDir} 0750 vault-agent ${certDirGroup} - -" keyDirGroup = if isNull dirGroup then c.key.group else dirGroup;
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -" ++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
) config.my.vault.acmeCertificates); ) config.my.vault.acmeCertificates);
@ -102,7 +120,7 @@ in
in { in {
role = mkOption { role = mkOption {
type = str; type = str;
default = "letsencrypt-prod-cloudflare"; default = "letsencrypt-cloudflare";
description = "Which role to use for certificate issuance."; description = "Which role to use for certificate issuance.";
}; };
name = mkOption { name = mkOption {
@ -131,8 +149,12 @@ in
description = "List of systemd units to restart after obtaining a new certificate."; description = "List of systemd units to restart after obtaining a new certificate.";
}; };
certificate = mkOption { fullchain = mkOption {
type = fileType "certificate" "0644"; type = fileType "certificate's full chain" "0644";
default = {};
};
chain = mkOption {
type = fileType "certificate chain only" "0644";
default = {}; default = {};
}; };
key = mkOption { key = mkOption {