vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect

This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
This commit is contained in:
Luke Granger-Brown 2022-03-11 22:07:31 +00:00
parent ac0c6eccef
commit ae97fddae2

View file

@ -26,26 +26,19 @@ let
(groupOrDefault c.key.group c)
]) acmeCertificates));
acmeCertificatesTemplate = builtins.concatMap (c: let
secretStanza = ''
secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}"
'';
in [
{
# Certificate full chain
acmeCertificatesTemplate = map (c: {
contents = ''
{{with ${secretStanza}}}
{{ .Data.cert }}{{ end }}
{{with secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}"}}
{{ .Data.cert | writeToFile "${fullchainPath c}" "vault-agent" "${groupOrDefault c.fullchain.group c}" "${c.fullchain.mode}" "newline" }}
{{ .Data.issuer_cert | writeToFile "${chainPath c}" "vault-agent" "${groupOrDefault c.chain.group c}" "${c.chain.mode}" "newline" }}
{{ .Data.private_key | writeToFile "${keyPath c}" "vault-agent" "${groupOrDefault c.key.group c}" "${c.key.mode}" "newline" }}
{{ end }}
'';
destination = fullchainPath c;
perms = c.fullchain.mode;
destination = "/var/lib/acme/${c.name}/token";
perms = "0600";
command = let
grp = groupOrDefault c.fullchain.group c;
in pkgs.writeShellScript "post-${c.name}-crt" ''
sleep 1s # Cheap hack...
${lib.optionalString (grp != "") ''
chgrp "${grp}" "${fullchainPath c}"
''}
${lib.concatMapStringsSep "\n" (x: ''
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
'') (reloadOrRestartUnits c)}
@ -54,39 +47,13 @@ let
'') c.restartUnits}
${lib.optionalString (c.command != "") c.command}
'';
} {
# Certificate chain
contents = ''
{{with ${secretStanza}}}
{{ .Data.issuer_cert }}{{ end }}
'';
destination = chainPath c;
perms = c.chain.mode;
command = let
grp = groupOrDefault c.chain.group c;
in pkgs.writeShellScript "post-${c.name}-chain" ''
${lib.optionalString (grp != "") ''
chgrp "${grp}" "${chainPath c}"
''}
'';
} {
# Key
contents = ''
{{with ${secretStanza}}}
{{ .Data.private_key }}{{ end }}
'';
destination = keyPath c;
perms = c.key.mode;
command = let
grp = groupOrDefault c.key.group c;
in pkgs.writeShellScript "post-${c.name}-key" ''
${lib.optionalString (grp != "") ''
chgrp "${grp}" "${keyPath c}"
''}
'';
}
]) acmeCertificates;
}) acmeCertificates;
extraWritableDirs = lib.unique (builtins.concatMap (c: [
(dirOf (fullchainPath c))
(dirOf (chainPath c))
(dirOf (keyPath c))
]) acmeCertificates);
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
let
fullchainDir = dirOf (fullchainPath c);
@ -105,6 +72,7 @@ let
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
++ [ "d /var/lib/acme/${c.name} 0750 vault-agent - -" ]
) acmeCertificates);
allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates);
@ -209,6 +177,7 @@ in
services.vault-agent = {
serviceConfig = {
SupplementaryGroups = mkBefore acmeCertificatesGroups;
ReadWritePaths = mkBefore extraWritableDirs;
};
};