vault-agent-acme: tidy up

This commit is contained in:
Luke Granger-Brown 2022-03-06 23:01:51 +00:00
parent 8be4fe603e
commit 0c7f785107
2 changed files with 44 additions and 22 deletions

View file

@ -10,13 +10,13 @@
buildGoModule rec {
pname = "vault-acme";
version = "0.0.8";
version = "0.0.8+lukegb-1";
src = fetchFromGitHub {
owner = "remilapeyre";
owner = "lukegb";
repo = pname;
rev = "v${version}";
sha256 = "sha256:0vbi5i0m5rifh4ayd4y949kh94zgirviv6xiy2a11a4frrn24fyf";
rev = "4f397cc3089cc7b0ea23e76e907ad4733b66c13f";
sha256 = "sha256:0f3d89j51gcrvpxmlr3psvv9mm6y3rw4hwk3rs4rb3a6rj5yg2iq";
};
vendorSha256 = "sha256:07bqapnrf1fdyaxkna14s5calgj71sk2qysigd32hxl673zd06ic";

View file

@ -7,11 +7,12 @@ let
inherit (lib) mkOption types mkBefore optionalAttrs;
# Work out where we're being asked to write things, and which groups, so we can correctly get permissions.
certPath = c: pathFor c.certificate c "cert.pem";
keyPath = c: pathFor c.certificate c "privkey.pem";
fullchainPath = c: pathFor c.fullchain c "fullchain.pem";
chainPath = c: pathFor c.chain c "chain.pem";
keyPath = c: pathFor c.key c "privkey.pem";
pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path;
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.certificate.group c.key.group ]) config.my.vault.acmeCertificates));
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates));
acmeCertificatesTemplate = builtins.concatMap (c: let
secretStanza = ''
@ -19,16 +20,17 @@ let
'';
in [
{
# Certificate
# Certificate full chain
contents = ''
{{with ${secretStanza}}}
{{ .Data.cert }}{{ end }}
'';
destination = certPath c;
perms = c.certificate.mode;
destination = fullchainPath c;
perms = c.fullchain.mode;
command = pkgs.writeShellScript "post-${c.name}-crt" ''
${lib.optionalString (c.certificate.group != "") ''
chgrp "${c.certificate.group}" "${certPath c}"
sleep 1s # Cheap hack...
${lib.optionalString (c.fullchain.group != "") ''
chgrp "${c.fullchain.group}" "${fullchainPath c}"
''}
${lib.concatMapStringsSep "\n" (x: ''
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
@ -38,6 +40,19 @@ let
'') c.restartUnits}
${lib.optionalString (c.command != "") c.command}
'';
} {
# Certificate chain
contents = ''
{{with ${secretStanza}}}
{{ .Data.issuer_cert }}{{ end }}
'';
destination = chainPath c;
perms = c.chain.mode;
command = pkgs.writeShellScript "post-${c.name}-chain" ''
${lib.optionalString (c.chain.group != "") ''
chgrp "${c.chain.group}" "${chainPath c}"
''}
'';
} {
# Key
contents = ''
@ -56,15 +71,18 @@ let
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
let
certDir = dirOf (certPath c);
keyDir = dirOf (keyPath c);
fullchainDir = dirOf (fullchainPath c);
chainDir = dirOf (chainPath c);
keyDir = dirOf (keyPath c);
dirGroup = if certDir == keyDir && c.certificate.makeDir && c.key.makeDir then if c.certificate.group == c.key.group then c.certificate.group else "-" else null;
dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null;
certDirGroup = if isNull dirGroup then c.certificate.group else dirGroup;
keyDirGroup = if isNull dirGroup then c.certificate.group else dirGroup;
in lib.optional c.certificate.makeDir "d ${certDir} 0750 vault-agent ${certDirGroup} - -"
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup;
chainDirGroup = if isNull dirGroup then c.chain.group else dirGroup;
keyDirGroup = if isNull dirGroup then c.key.group else dirGroup;
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
) config.my.vault.acmeCertificates);
allRestartableUnits = lib.unique (builtins.concatMap (c: c.reloadOrRestartUnits ++ c.restartUnits) config.my.vault.acmeCertificates);
@ -102,7 +120,7 @@ in
in {
role = mkOption {
type = str;
default = "letsencrypt-prod-cloudflare";
default = "letsencrypt-cloudflare";
description = "Which role to use for certificate issuance.";
};
name = mkOption {
@ -131,8 +149,12 @@ in
description = "List of systemd units to restart after obtaining a new certificate.";
};
certificate = mkOption {
type = fileType "certificate" "0644";
fullchain = mkOption {
type = fileType "certificate's full chain" "0644";
default = {};
};
chain = mkOption {
type = fileType "certificate chain only" "0644";
default = {};
};
key = mkOption {