vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
This avoids annoying problems like "too many" retries for certificate issuance, since we only ask for the secret once.
This commit is contained in:
parent
ac0c6eccef
commit
ae97fddae2
1 changed files with 28 additions and 59 deletions
|
@ -26,67 +26,34 @@ let
|
|||
(groupOrDefault c.key.group c)
|
||||
]) acmeCertificates));
|
||||
|
||||
acmeCertificatesTemplate = builtins.concatMap (c: let
|
||||
secretStanza = ''
|
||||
secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}"
|
||||
acmeCertificatesTemplate = map (c: {
|
||||
contents = ''
|
||||
{{with secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}"}}
|
||||
{{ .Data.cert | writeToFile "${fullchainPath c}" "vault-agent" "${groupOrDefault c.fullchain.group c}" "${c.fullchain.mode}" "newline" }}
|
||||
{{ .Data.issuer_cert | writeToFile "${chainPath c}" "vault-agent" "${groupOrDefault c.chain.group c}" "${c.chain.mode}" "newline" }}
|
||||
{{ .Data.private_key | writeToFile "${keyPath c}" "vault-agent" "${groupOrDefault c.key.group c}" "${c.key.mode}" "newline" }}
|
||||
{{ end }}
|
||||
'';
|
||||
in [
|
||||
{
|
||||
# Certificate full chain
|
||||
contents = ''
|
||||
{{with ${secretStanza}}}
|
||||
{{ .Data.cert }}{{ end }}
|
||||
'';
|
||||
destination = fullchainPath c;
|
||||
perms = c.fullchain.mode;
|
||||
command = let
|
||||
grp = groupOrDefault c.fullchain.group c;
|
||||
in pkgs.writeShellScript "post-${c.name}-crt" ''
|
||||
sleep 1s # Cheap hack...
|
||||
${lib.optionalString (grp != "") ''
|
||||
chgrp "${grp}" "${fullchainPath c}"
|
||||
''}
|
||||
${lib.concatMapStringsSep "\n" (x: ''
|
||||
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
|
||||
'') (reloadOrRestartUnits c)}
|
||||
${lib.concatMapStringsSep "\n" (x: ''
|
||||
/run/current-system/sw/bin/systemctl restart ${x}
|
||||
'') c.restartUnits}
|
||||
${lib.optionalString (c.command != "") c.command}
|
||||
'';
|
||||
} {
|
||||
# Certificate chain
|
||||
contents = ''
|
||||
{{with ${secretStanza}}}
|
||||
{{ .Data.issuer_cert }}{{ end }}
|
||||
'';
|
||||
destination = chainPath c;
|
||||
perms = c.chain.mode;
|
||||
command = let
|
||||
grp = groupOrDefault c.chain.group c;
|
||||
in pkgs.writeShellScript "post-${c.name}-chain" ''
|
||||
${lib.optionalString (grp != "") ''
|
||||
chgrp "${grp}" "${chainPath c}"
|
||||
''}
|
||||
'';
|
||||
} {
|
||||
# Key
|
||||
contents = ''
|
||||
{{with ${secretStanza}}}
|
||||
{{ .Data.private_key }}{{ end }}
|
||||
'';
|
||||
destination = keyPath c;
|
||||
perms = c.key.mode;
|
||||
command = let
|
||||
grp = groupOrDefault c.key.group c;
|
||||
in pkgs.writeShellScript "post-${c.name}-key" ''
|
||||
${lib.optionalString (grp != "") ''
|
||||
chgrp "${grp}" "${keyPath c}"
|
||||
''}
|
||||
'';
|
||||
}
|
||||
]) acmeCertificates;
|
||||
destination = "/var/lib/acme/${c.name}/token";
|
||||
perms = "0600";
|
||||
command = let
|
||||
grp = groupOrDefault c.fullchain.group c;
|
||||
in pkgs.writeShellScript "post-${c.name}-crt" ''
|
||||
${lib.concatMapStringsSep "\n" (x: ''
|
||||
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
|
||||
'') (reloadOrRestartUnits c)}
|
||||
${lib.concatMapStringsSep "\n" (x: ''
|
||||
/run/current-system/sw/bin/systemctl restart ${x}
|
||||
'') c.restartUnits}
|
||||
${lib.optionalString (c.command != "") c.command}
|
||||
'';
|
||||
}) acmeCertificates;
|
||||
|
||||
extraWritableDirs = lib.unique (builtins.concatMap (c: [
|
||||
(dirOf (fullchainPath c))
|
||||
(dirOf (chainPath c))
|
||||
(dirOf (keyPath c))
|
||||
]) acmeCertificates);
|
||||
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
|
||||
let
|
||||
fullchainDir = dirOf (fullchainPath c);
|
||||
|
@ -105,6 +72,7 @@ let
|
|||
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
|
||||
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
|
||||
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
|
||||
++ [ "d /var/lib/acme/${c.name} 0750 vault-agent - -" ]
|
||||
) acmeCertificates);
|
||||
|
||||
allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates);
|
||||
|
@ -209,6 +177,7 @@ in
|
|||
services.vault-agent = {
|
||||
serviceConfig = {
|
||||
SupplementaryGroups = mkBefore acmeCertificatesGroups;
|
||||
ReadWritePaths = mkBefore extraWritableDirs;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue