vault-agent-acme: tidy up
This commit is contained in:
parent
8be4fe603e
commit
0c7f785107
2 changed files with 44 additions and 22 deletions
|
@ -10,13 +10,13 @@
|
|||
|
||||
buildGoModule rec {
|
||||
pname = "vault-acme";
|
||||
version = "0.0.8";
|
||||
version = "0.0.8+lukegb-1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "remilapeyre";
|
||||
owner = "lukegb";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256:0vbi5i0m5rifh4ayd4y949kh94zgirviv6xiy2a11a4frrn24fyf";
|
||||
rev = "4f397cc3089cc7b0ea23e76e907ad4733b66c13f";
|
||||
sha256 = "sha256:0f3d89j51gcrvpxmlr3psvv9mm6y3rw4hwk3rs4rb3a6rj5yg2iq";
|
||||
};
|
||||
|
||||
vendorSha256 = "sha256:07bqapnrf1fdyaxkna14s5calgj71sk2qysigd32hxl673zd06ic";
|
||||
|
|
|
@ -7,11 +7,12 @@ let
|
|||
inherit (lib) mkOption types mkBefore optionalAttrs;
|
||||
|
||||
# Work out where we're being asked to write things, and which groups, so we can correctly get permissions.
|
||||
certPath = c: pathFor c.certificate c "cert.pem";
|
||||
keyPath = c: pathFor c.certificate c "privkey.pem";
|
||||
fullchainPath = c: pathFor c.fullchain c "fullchain.pem";
|
||||
chainPath = c: pathFor c.chain c "chain.pem";
|
||||
keyPath = c: pathFor c.key c "privkey.pem";
|
||||
pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path;
|
||||
|
||||
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.certificate.group c.key.group ]) config.my.vault.acmeCertificates));
|
||||
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates));
|
||||
|
||||
acmeCertificatesTemplate = builtins.concatMap (c: let
|
||||
secretStanza = ''
|
||||
|
@ -19,16 +20,17 @@ let
|
|||
'';
|
||||
in [
|
||||
{
|
||||
# Certificate
|
||||
# Certificate full chain
|
||||
contents = ''
|
||||
{{with ${secretStanza}}}
|
||||
{{ .Data.cert }}{{ end }}
|
||||
'';
|
||||
destination = certPath c;
|
||||
perms = c.certificate.mode;
|
||||
destination = fullchainPath c;
|
||||
perms = c.fullchain.mode;
|
||||
command = pkgs.writeShellScript "post-${c.name}-crt" ''
|
||||
${lib.optionalString (c.certificate.group != "") ''
|
||||
chgrp "${c.certificate.group}" "${certPath c}"
|
||||
sleep 1s # Cheap hack...
|
||||
${lib.optionalString (c.fullchain.group != "") ''
|
||||
chgrp "${c.fullchain.group}" "${fullchainPath c}"
|
||||
''}
|
||||
${lib.concatMapStringsSep "\n" (x: ''
|
||||
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
|
||||
|
@ -38,6 +40,19 @@ let
|
|||
'') c.restartUnits}
|
||||
${lib.optionalString (c.command != "") c.command}
|
||||
'';
|
||||
} {
|
||||
# Certificate chain
|
||||
contents = ''
|
||||
{{with ${secretStanza}}}
|
||||
{{ .Data.issuer_cert }}{{ end }}
|
||||
'';
|
||||
destination = chainPath c;
|
||||
perms = c.chain.mode;
|
||||
command = pkgs.writeShellScript "post-${c.name}-chain" ''
|
||||
${lib.optionalString (c.chain.group != "") ''
|
||||
chgrp "${c.chain.group}" "${chainPath c}"
|
||||
''}
|
||||
'';
|
||||
} {
|
||||
# Key
|
||||
contents = ''
|
||||
|
@ -56,14 +71,17 @@ let
|
|||
|
||||
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
|
||||
let
|
||||
certDir = dirOf (certPath c);
|
||||
fullchainDir = dirOf (fullchainPath c);
|
||||
chainDir = dirOf (chainPath c);
|
||||
keyDir = dirOf (keyPath c);
|
||||
|
||||
dirGroup = if certDir == keyDir && c.certificate.makeDir && c.key.makeDir then if c.certificate.group == c.key.group then c.certificate.group else "-" else null;
|
||||
dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null;
|
||||
|
||||
certDirGroup = if isNull dirGroup then c.certificate.group else dirGroup;
|
||||
keyDirGroup = if isNull dirGroup then c.certificate.group else dirGroup;
|
||||
in lib.optional c.certificate.makeDir "d ${certDir} 0750 vault-agent ${certDirGroup} - -"
|
||||
fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup;
|
||||
chainDirGroup = if isNull dirGroup then c.chain.group else dirGroup;
|
||||
keyDirGroup = if isNull dirGroup then c.key.group else dirGroup;
|
||||
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
|
||||
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
|
||||
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
|
||||
) config.my.vault.acmeCertificates);
|
||||
|
||||
|
@ -102,7 +120,7 @@ in
|
|||
in {
|
||||
role = mkOption {
|
||||
type = str;
|
||||
default = "letsencrypt-prod-cloudflare";
|
||||
default = "letsencrypt-cloudflare";
|
||||
description = "Which role to use for certificate issuance.";
|
||||
};
|
||||
name = mkOption {
|
||||
|
@ -131,8 +149,12 @@ in
|
|||
description = "List of systemd units to restart after obtaining a new certificate.";
|
||||
};
|
||||
|
||||
certificate = mkOption {
|
||||
type = fileType "certificate" "0644";
|
||||
fullchain = mkOption {
|
||||
type = fileType "certificate's full chain" "0644";
|
||||
default = {};
|
||||
};
|
||||
chain = mkOption {
|
||||
type = fileType "certificate chain only" "0644";
|
||||
default = {};
|
||||
};
|
||||
key = mkOption {
|
||||
|
|
Loading…
Reference in a new issue