From ae97fddae2629673d4e22f66fa684b795481feb7 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 11 Mar 2022 22:07:31 +0000 Subject: [PATCH] vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect This avoids annoying problems like "too many" retries for certificate issuance, since we only ask for the secret once. --- ops/nixos/lib/vault-agent-acme.nix | 87 ++++++++++-------------------- 1 file changed, 28 insertions(+), 59 deletions(-) diff --git a/ops/nixos/lib/vault-agent-acme.nix b/ops/nixos/lib/vault-agent-acme.nix index 2ddc945ba7..feb048667d 100644 --- a/ops/nixos/lib/vault-agent-acme.nix +++ b/ops/nixos/lib/vault-agent-acme.nix @@ -26,67 +26,34 @@ let (groupOrDefault c.key.group c) ]) acmeCertificates)); - acmeCertificatesTemplate = builtins.concatMap (c: let - secretStanza = '' - secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}" + acmeCertificatesTemplate = map (c: { + contents = '' + {{with secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}"}} + {{ .Data.cert | writeToFile "${fullchainPath c}" "vault-agent" "${groupOrDefault c.fullchain.group c}" "${c.fullchain.mode}" "newline" }} + {{ .Data.issuer_cert | writeToFile "${chainPath c}" "vault-agent" "${groupOrDefault c.chain.group c}" "${c.chain.mode}" "newline" }} + {{ .Data.private_key | writeToFile "${keyPath c}" "vault-agent" "${groupOrDefault c.key.group c}" "${c.key.mode}" "newline" }} + {{ end }} ''; - in [ - { - # Certificate full chain - contents = '' - {{with ${secretStanza}}} - {{ .Data.cert }}{{ end }} - ''; - destination = fullchainPath c; - perms = c.fullchain.mode; - command = let - grp = groupOrDefault c.fullchain.group c; - in pkgs.writeShellScript "post-${c.name}-crt" '' - sleep 1s # Cheap hack... - ${lib.optionalString (grp != "") '' - chgrp "${grp}" "${fullchainPath c}" - ''} - ${lib.concatMapStringsSep "\n" (x: '' - /run/current-system/sw/bin/systemctl reload-or-restart ${x} - '') (reloadOrRestartUnits c)} - ${lib.concatMapStringsSep "\n" (x: '' - /run/current-system/sw/bin/systemctl restart ${x} - '') c.restartUnits} - ${lib.optionalString (c.command != "") c.command} - ''; - } { - # Certificate chain - contents = '' - {{with ${secretStanza}}} - {{ .Data.issuer_cert }}{{ end }} - ''; - destination = chainPath c; - perms = c.chain.mode; - command = let - grp = groupOrDefault c.chain.group c; - in pkgs.writeShellScript "post-${c.name}-chain" '' - ${lib.optionalString (grp != "") '' - chgrp "${grp}" "${chainPath c}" - ''} - ''; - } { - # Key - contents = '' - {{with ${secretStanza}}} - {{ .Data.private_key }}{{ end }} - ''; - destination = keyPath c; - perms = c.key.mode; - command = let - grp = groupOrDefault c.key.group c; - in pkgs.writeShellScript "post-${c.name}-key" '' - ${lib.optionalString (grp != "") '' - chgrp "${grp}" "${keyPath c}" - ''} - ''; - } - ]) acmeCertificates; + destination = "/var/lib/acme/${c.name}/token"; + perms = "0600"; + command = let + grp = groupOrDefault c.fullchain.group c; + in pkgs.writeShellScript "post-${c.name}-crt" '' + ${lib.concatMapStringsSep "\n" (x: '' + /run/current-system/sw/bin/systemctl reload-or-restart ${x} + '') (reloadOrRestartUnits c)} + ${lib.concatMapStringsSep "\n" (x: '' + /run/current-system/sw/bin/systemctl restart ${x} + '') c.restartUnits} + ${lib.optionalString (c.command != "") c.command} + ''; + }) acmeCertificates; + extraWritableDirs = lib.unique (builtins.concatMap (c: [ + (dirOf (fullchainPath c)) + (dirOf (chainPath c)) + (dirOf (keyPath c)) + ]) acmeCertificates); acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c: let fullchainDir = dirOf (fullchainPath c); @@ -105,6 +72,7 @@ let in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -" ++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -" ++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -" + ++ [ "d /var/lib/acme/${c.name} 0750 vault-agent - -" ] ) acmeCertificates); allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates); @@ -209,6 +177,7 @@ in services.vault-agent = { serviceConfig = { SupplementaryGroups = mkBefore acmeCertificatesGroups; + ReadWritePaths = mkBefore extraWritableDirs; }; };