vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
This avoids annoying problems like "too many" retries for certificate issuance, since we only ask for the secret once.
This commit is contained in:
parent
ac0c6eccef
commit
ae97fddae2
1 changed files with 28 additions and 59 deletions
|
@ -26,26 +26,19 @@ let
|
||||||
(groupOrDefault c.key.group c)
|
(groupOrDefault c.key.group c)
|
||||||
]) acmeCertificates));
|
]) acmeCertificates));
|
||||||
|
|
||||||
acmeCertificatesTemplate = builtins.concatMap (c: let
|
acmeCertificatesTemplate = map (c: {
|
||||||
secretStanza = ''
|
|
||||||
secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}"
|
|
||||||
'';
|
|
||||||
in [
|
|
||||||
{
|
|
||||||
# Certificate full chain
|
|
||||||
contents = ''
|
contents = ''
|
||||||
{{with ${secretStanza}}}
|
{{with secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}"}}
|
||||||
{{ .Data.cert }}{{ end }}
|
{{ .Data.cert | writeToFile "${fullchainPath c}" "vault-agent" "${groupOrDefault c.fullchain.group c}" "${c.fullchain.mode}" "newline" }}
|
||||||
|
{{ .Data.issuer_cert | writeToFile "${chainPath c}" "vault-agent" "${groupOrDefault c.chain.group c}" "${c.chain.mode}" "newline" }}
|
||||||
|
{{ .Data.private_key | writeToFile "${keyPath c}" "vault-agent" "${groupOrDefault c.key.group c}" "${c.key.mode}" "newline" }}
|
||||||
|
{{ end }}
|
||||||
'';
|
'';
|
||||||
destination = fullchainPath c;
|
destination = "/var/lib/acme/${c.name}/token";
|
||||||
perms = c.fullchain.mode;
|
perms = "0600";
|
||||||
command = let
|
command = let
|
||||||
grp = groupOrDefault c.fullchain.group c;
|
grp = groupOrDefault c.fullchain.group c;
|
||||||
in pkgs.writeShellScript "post-${c.name}-crt" ''
|
in pkgs.writeShellScript "post-${c.name}-crt" ''
|
||||||
sleep 1s # Cheap hack...
|
|
||||||
${lib.optionalString (grp != "") ''
|
|
||||||
chgrp "${grp}" "${fullchainPath c}"
|
|
||||||
''}
|
|
||||||
${lib.concatMapStringsSep "\n" (x: ''
|
${lib.concatMapStringsSep "\n" (x: ''
|
||||||
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
|
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
|
||||||
'') (reloadOrRestartUnits c)}
|
'') (reloadOrRestartUnits c)}
|
||||||
|
@ -54,39 +47,13 @@ let
|
||||||
'') c.restartUnits}
|
'') c.restartUnits}
|
||||||
${lib.optionalString (c.command != "") c.command}
|
${lib.optionalString (c.command != "") c.command}
|
||||||
'';
|
'';
|
||||||
} {
|
}) acmeCertificates;
|
||||||
# Certificate chain
|
|
||||||
contents = ''
|
|
||||||
{{with ${secretStanza}}}
|
|
||||||
{{ .Data.issuer_cert }}{{ end }}
|
|
||||||
'';
|
|
||||||
destination = chainPath c;
|
|
||||||
perms = c.chain.mode;
|
|
||||||
command = let
|
|
||||||
grp = groupOrDefault c.chain.group c;
|
|
||||||
in pkgs.writeShellScript "post-${c.name}-chain" ''
|
|
||||||
${lib.optionalString (grp != "") ''
|
|
||||||
chgrp "${grp}" "${chainPath c}"
|
|
||||||
''}
|
|
||||||
'';
|
|
||||||
} {
|
|
||||||
# Key
|
|
||||||
contents = ''
|
|
||||||
{{with ${secretStanza}}}
|
|
||||||
{{ .Data.private_key }}{{ end }}
|
|
||||||
'';
|
|
||||||
destination = keyPath c;
|
|
||||||
perms = c.key.mode;
|
|
||||||
command = let
|
|
||||||
grp = groupOrDefault c.key.group c;
|
|
||||||
in pkgs.writeShellScript "post-${c.name}-key" ''
|
|
||||||
${lib.optionalString (grp != "") ''
|
|
||||||
chgrp "${grp}" "${keyPath c}"
|
|
||||||
''}
|
|
||||||
'';
|
|
||||||
}
|
|
||||||
]) acmeCertificates;
|
|
||||||
|
|
||||||
|
extraWritableDirs = lib.unique (builtins.concatMap (c: [
|
||||||
|
(dirOf (fullchainPath c))
|
||||||
|
(dirOf (chainPath c))
|
||||||
|
(dirOf (keyPath c))
|
||||||
|
]) acmeCertificates);
|
||||||
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
|
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
|
||||||
let
|
let
|
||||||
fullchainDir = dirOf (fullchainPath c);
|
fullchainDir = dirOf (fullchainPath c);
|
||||||
|
@ -105,6 +72,7 @@ let
|
||||||
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
|
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
|
||||||
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
|
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
|
||||||
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
|
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
|
||||||
|
++ [ "d /var/lib/acme/${c.name} 0750 vault-agent - -" ]
|
||||||
) acmeCertificates);
|
) acmeCertificates);
|
||||||
|
|
||||||
allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates);
|
allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates);
|
||||||
|
@ -209,6 +177,7 @@ in
|
||||||
services.vault-agent = {
|
services.vault-agent = {
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
SupplementaryGroups = mkBefore acmeCertificatesGroups;
|
SupplementaryGroups = mkBefore acmeCertificatesGroups;
|
||||||
|
ReadWritePaths = mkBefore extraWritableDirs;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue