vault-agent-acme: tidy up
This commit is contained in:
parent
8be4fe603e
commit
0c7f785107
2 changed files with 44 additions and 22 deletions
|
@ -10,13 +10,13 @@
|
||||||
|
|
||||||
buildGoModule rec {
|
buildGoModule rec {
|
||||||
pname = "vault-acme";
|
pname = "vault-acme";
|
||||||
version = "0.0.8";
|
version = "0.0.8+lukegb-1";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "remilapeyre";
|
owner = "lukegb";
|
||||||
repo = pname;
|
repo = pname;
|
||||||
rev = "v${version}";
|
rev = "4f397cc3089cc7b0ea23e76e907ad4733b66c13f";
|
||||||
sha256 = "sha256:0vbi5i0m5rifh4ayd4y949kh94zgirviv6xiy2a11a4frrn24fyf";
|
sha256 = "sha256:0f3d89j51gcrvpxmlr3psvv9mm6y3rw4hwk3rs4rb3a6rj5yg2iq";
|
||||||
};
|
};
|
||||||
|
|
||||||
vendorSha256 = "sha256:07bqapnrf1fdyaxkna14s5calgj71sk2qysigd32hxl673zd06ic";
|
vendorSha256 = "sha256:07bqapnrf1fdyaxkna14s5calgj71sk2qysigd32hxl673zd06ic";
|
||||||
|
|
|
@ -7,11 +7,12 @@ let
|
||||||
inherit (lib) mkOption types mkBefore optionalAttrs;
|
inherit (lib) mkOption types mkBefore optionalAttrs;
|
||||||
|
|
||||||
# Work out where we're being asked to write things, and which groups, so we can correctly get permissions.
|
# Work out where we're being asked to write things, and which groups, so we can correctly get permissions.
|
||||||
certPath = c: pathFor c.certificate c "cert.pem";
|
fullchainPath = c: pathFor c.fullchain c "fullchain.pem";
|
||||||
keyPath = c: pathFor c.certificate c "privkey.pem";
|
chainPath = c: pathFor c.chain c "chain.pem";
|
||||||
|
keyPath = c: pathFor c.key c "privkey.pem";
|
||||||
pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path;
|
pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path;
|
||||||
|
|
||||||
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.certificate.group c.key.group ]) config.my.vault.acmeCertificates));
|
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates));
|
||||||
|
|
||||||
acmeCertificatesTemplate = builtins.concatMap (c: let
|
acmeCertificatesTemplate = builtins.concatMap (c: let
|
||||||
secretStanza = ''
|
secretStanza = ''
|
||||||
|
@ -19,16 +20,17 @@ let
|
||||||
'';
|
'';
|
||||||
in [
|
in [
|
||||||
{
|
{
|
||||||
# Certificate
|
# Certificate full chain
|
||||||
contents = ''
|
contents = ''
|
||||||
{{with ${secretStanza}}}
|
{{with ${secretStanza}}}
|
||||||
{{ .Data.cert }}{{ end }}
|
{{ .Data.cert }}{{ end }}
|
||||||
'';
|
'';
|
||||||
destination = certPath c;
|
destination = fullchainPath c;
|
||||||
perms = c.certificate.mode;
|
perms = c.fullchain.mode;
|
||||||
command = pkgs.writeShellScript "post-${c.name}-crt" ''
|
command = pkgs.writeShellScript "post-${c.name}-crt" ''
|
||||||
${lib.optionalString (c.certificate.group != "") ''
|
sleep 1s # Cheap hack...
|
||||||
chgrp "${c.certificate.group}" "${certPath c}"
|
${lib.optionalString (c.fullchain.group != "") ''
|
||||||
|
chgrp "${c.fullchain.group}" "${fullchainPath c}"
|
||||||
''}
|
''}
|
||||||
${lib.concatMapStringsSep "\n" (x: ''
|
${lib.concatMapStringsSep "\n" (x: ''
|
||||||
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
|
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
|
||||||
|
@ -38,6 +40,19 @@ let
|
||||||
'') c.restartUnits}
|
'') c.restartUnits}
|
||||||
${lib.optionalString (c.command != "") c.command}
|
${lib.optionalString (c.command != "") c.command}
|
||||||
'';
|
'';
|
||||||
|
} {
|
||||||
|
# Certificate chain
|
||||||
|
contents = ''
|
||||||
|
{{with ${secretStanza}}}
|
||||||
|
{{ .Data.issuer_cert }}{{ end }}
|
||||||
|
'';
|
||||||
|
destination = chainPath c;
|
||||||
|
perms = c.chain.mode;
|
||||||
|
command = pkgs.writeShellScript "post-${c.name}-chain" ''
|
||||||
|
${lib.optionalString (c.chain.group != "") ''
|
||||||
|
chgrp "${c.chain.group}" "${chainPath c}"
|
||||||
|
''}
|
||||||
|
'';
|
||||||
} {
|
} {
|
||||||
# Key
|
# Key
|
||||||
contents = ''
|
contents = ''
|
||||||
|
@ -56,14 +71,17 @@ let
|
||||||
|
|
||||||
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
|
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
|
||||||
let
|
let
|
||||||
certDir = dirOf (certPath c);
|
fullchainDir = dirOf (fullchainPath c);
|
||||||
|
chainDir = dirOf (chainPath c);
|
||||||
keyDir = dirOf (keyPath c);
|
keyDir = dirOf (keyPath c);
|
||||||
|
|
||||||
dirGroup = if certDir == keyDir && c.certificate.makeDir && c.key.makeDir then if c.certificate.group == c.key.group then c.certificate.group else "-" else null;
|
dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null;
|
||||||
|
|
||||||
certDirGroup = if isNull dirGroup then c.certificate.group else dirGroup;
|
fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup;
|
||||||
keyDirGroup = if isNull dirGroup then c.certificate.group else dirGroup;
|
chainDirGroup = if isNull dirGroup then c.chain.group else dirGroup;
|
||||||
in lib.optional c.certificate.makeDir "d ${certDir} 0750 vault-agent ${certDirGroup} - -"
|
keyDirGroup = if isNull dirGroup then c.key.group else dirGroup;
|
||||||
|
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
|
||||||
|
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
|
||||||
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
|
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
|
||||||
) config.my.vault.acmeCertificates);
|
) config.my.vault.acmeCertificates);
|
||||||
|
|
||||||
|
@ -102,7 +120,7 @@ in
|
||||||
in {
|
in {
|
||||||
role = mkOption {
|
role = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
default = "letsencrypt-prod-cloudflare";
|
default = "letsencrypt-cloudflare";
|
||||||
description = "Which role to use for certificate issuance.";
|
description = "Which role to use for certificate issuance.";
|
||||||
};
|
};
|
||||||
name = mkOption {
|
name = mkOption {
|
||||||
|
@ -131,8 +149,12 @@ in
|
||||||
description = "List of systemd units to restart after obtaining a new certificate.";
|
description = "List of systemd units to restart after obtaining a new certificate.";
|
||||||
};
|
};
|
||||||
|
|
||||||
certificate = mkOption {
|
fullchain = mkOption {
|
||||||
type = fileType "certificate" "0644";
|
type = fileType "certificate's full chain" "0644";
|
||||||
|
default = {};
|
||||||
|
};
|
||||||
|
chain = mkOption {
|
||||||
|
type = fileType "certificate chain only" "0644";
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
key = mkOption {
|
key = mkOption {
|
||||||
|
|
Loading…
Reference in a new issue