diff --git a/ops/nixos/blade-tuvok/default.nix b/ops/nixos/blade-tuvok/default.nix index 0294c1649c..a1e2be3c7b 100644 --- a/ops/nixos/blade-tuvok/default.nix +++ b/ops/nixos/blade-tuvok/default.nix @@ -69,7 +69,6 @@ in { recommendedTlsSettings = true; recommendedGzipSettings = true; virtualHosts."objdump.zxcvbnm.ninja" = { - useACMEHost = "objdump.zxcvbnm.ninja"; default = true; forceSSL = true; locations."/" = { @@ -82,11 +81,9 @@ in { }; }; }; - security.acme.certs."objdump.zxcvbnm.ninja" = { - group = config.services.nginx.group; - extraDomainNames = [ - "*.objdump.zxcvbnm.ninja" - ]; + my.vault.acmeCertificates."objdump.zxcvbnm.ninja" = { + extraNames = [ "*.objdump.zxcvbnm.ninja" ]; + nginxVirtualHosts = [ "objdump.zxcvbnm.ninja" ]; }; my.fup.listen = [ "0.0.0.0" "[::]" diff --git a/ops/nixos/bvm-matrix/default.nix b/ops/nixos/bvm-matrix/default.nix index fb9af4ad4d..0bfa56d8be 100644 --- a/ops/nixos/bvm-matrix/default.nix +++ b/ops/nixos/bvm-matrix/default.nix @@ -58,8 +58,8 @@ in { use-auth-secret = true; realm = "matrix.zxcvbnm.ninja"; static-auth-secret = machineSecrets.turnSecret; - cert = "${config.security.acme.certs."matrix.zxcvbnm.ninja".directory}/fullchain.pem"; - pkey = "${config.security.acme.certs."matrix.zxcvbnm.ninja".directory}/key.pem"; + cert = "/var/lib/acme/matrix.zxcvbnm.ninja/fullchain.pem"; + pkey = "/var/lib/acme/matrix.zxcvbnm.ninja/privkey.pem"; }; services.nginx = { enable = true; @@ -71,7 +71,6 @@ in { virtualHosts = { "zxcvbnm.ninja" = { forceSSL = true; - useACMEHost = "matrix.zxcvbnm.ninja"; locations = let inherit (lib) mapAttrs' nameValuePair; wellKnown = { @@ -90,13 +89,11 @@ in { }; "matrix.zxcvbnm.ninja" = { forceSSL = true; - useACMEHost = "matrix.zxcvbnm.ninja"; locations."/".return = "301 https://element.zxcvbnm.ninja$request_uri"; locations."/_matrix".proxyPass = "http://[::1]:8008"; }; "element.zxcvbnm.ninja" = { forceSSL = true; - useACMEHost = "matrix.zxcvbnm.ninja"; extraConfig = '' add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; @@ -168,9 +165,10 @@ in { members = [ "turnserver" "nginx" ]; }; - security.acme.certs."matrix.zxcvbnm.ninja" = { + my.vault.acmeCertificates."matrix.zxcvbnm.ninja" = { group = "matrixcert"; - extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ]; + extraNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ]; + nginxVirtualHosts = [ "zxcvbnm.ninja" "element.zxcvbnm.ninja" "matrix.zxcvbnm.ninja" ]; }; system.stateVersion = "21.05"; diff --git a/ops/nixos/bvm-prosody/default.nix b/ops/nixos/bvm-prosody/default.nix index 112bbe51a7..aa68a956c3 100644 --- a/ops/nixos/bvm-prosody/default.nix +++ b/ops/nixos/bvm-prosody/default.nix @@ -36,8 +36,8 @@ in { use-auth-secret = true; realm = "turn.lukegb.com"; static-auth-secret = machineSecrets.turnSecret; - cert = "${config.security.acme.certs."turn.lukegb.com".directory}/fullchain.pem"; - pkey = "${config.security.acme.certs."turn.lukegb.com".directory}/key.pem"; + cert = "/var/lib/acme/turn.lukegb.com/fullchain.pem"; + pkey = "/var/lib/acme/turn.lukegb.com/privkey.pem"; }; services.prosody = { @@ -50,8 +50,8 @@ in { virtualHosts."lukegb.com" = { enabled = true; domain = "lukegb.com"; - ssl.cert = "${config.security.acme.certs."xmpp.lukegb.com".directory}/fullchain.pem"; - ssl.key = "${config.security.acme.certs."xmpp.lukegb.com".directory}/key.pem"; + ssl.cert = "/var/lib/acme/xmpp.lukegb.com/fullchain.pem"; + ssl.key = "/var/lib/acme/xmpp.lukegb.com/privkey.pem"; }; muc = [{ domain = "muc.xmpp.lukegb.com"; @@ -86,12 +86,12 @@ in { ''; }; - security.acme = { - certs."xmpp.lukegb.com" = { + my.vault.acmeCertificates = { + "xmpp.lukegb.com" = { group = "prosody"; - extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ]; + extraNames = [ "*.xmpp.lukegb.com" "lukegb.com" ]; }; - certs."turn.lukegb.com" = { + "turn.lukegb.com" = { group = "turnserver"; }; }; diff --git a/ops/nixos/bvm-radius/default.nix b/ops/nixos/bvm-radius/default.nix index acb6040b2e..c2b915e146 100644 --- a/ops/nixos/bvm-radius/default.nix +++ b/ops/nixos/bvm-radius/default.nix @@ -54,14 +54,9 @@ in { }; my.ip.tailscale = "100.120.98.116"; - security.acme.certs."as205479.net" = { - extraDomainNames = [ "www.as205479.net" ]; - dnsProvider = "gcloud"; - credentialsFile = secrets.gcpDNSCredentials; - dnsPropagationCheck = false; - postRun = '' - systemctl restart freeradius - ''; + my.vault.acmeCertificates."as205479.net" = { + group = "acme"; + reloadOrRestartUnits = [ "freeradius.service" ]; }; users.users.nginx.extraGroups = lib.mkAfter [ "acme" ]; diff --git a/ops/nixos/bvm-radius/raddb/mods-available/eap-custom b/ops/nixos/bvm-radius/raddb/mods-available/eap-custom index 6d39325057..3327220a07 100644 --- a/ops/nixos/bvm-radius/raddb/mods-available/eap-custom +++ b/ops/nixos/bvm-radius/raddb/mods-available/eap-custom @@ -110,7 +110,7 @@ eap { # tls-config tls-common { #private_key_password = whatever - private_key_file = /var/lib/acme/as205479.net/key.pem + private_key_file = /var/lib/acme/as205479.net/privkey.pem # If Private key & Certificate are located in # the same file, then private_key_file & diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix index 794e9021c5..4f6d38913f 100644 --- a/ops/nixos/clouvider-lon01/default.nix +++ b/ops/nixos/clouvider-lon01/default.nix @@ -192,11 +192,9 @@ in { dataDir = "/persist/etc/znc"; useLegacyConfig = false; }; - security.acme.certs."znc.lukegb.com" = { - dnsProvider = null; - webroot = "/var/lib/acme/.challenges"; + my.vault.acmeCertificates."znc.lukegb.com" = { + extraNames = [ "akiichiro.lukegb.com" ]; group = "znc-acme"; - extraDomainNames = ["akiichiro.lukegb.com"]; }; services.nginx = { enable = true; diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index d47f6c4e38..b4ab0713b5 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -251,7 +251,6 @@ in { services.pomerium = { enable = true; secretsFile = machineSecrets.pomeriumSecrets; - useACMEHost = "int.lukegb.com"; settings = { address = ":443"; @@ -280,6 +279,10 @@ in { authenticate_service_url = "https://auth.int.lukegb.com"; signout_redirect_url = "https://logged-out.int.lukegb.com"; + certificates = [ + { cert = "/var/lib/acme/lukegb.com/fullchain.pem"; key = "/var/lib/acme/lukegb.com/privkey.pem"; } + ]; + policy = let baseConfig = { allowed_domains = [ "lukegb.com" ]; @@ -344,18 +347,18 @@ in { systemd.services.pomerium = { wants = lib.mkAfter [ "redis.service" ]; after = lib.mkAfter [ "redis.service" ]; + serviceConfig = { + SupplementaryGroups = [ "acme" ]; + ReadOnlyPaths = [ "/var/lib/acme" ]; + }; }; - security.acme.certs."int.lukegb.com" = { - domain = "*.int.lukegb.com"; - extraDomainNames = [ - # "int.lukegb.com" # redundant with *.lukegb.com + my.vault.acmeCertificates."lukegb.com" = { + extraNames = [ "lukegb.com" "*.lukegb.com" "objdump.zxcvbnm.ninja" ]; - postRun = '' - systemctl restart pomerium - ''; + reloadOrRestartUnits = [ "pomerium.service" ]; }; system.stateVersion = "20.09"; diff --git a/ops/nixos/lib/as205479-web.nix b/ops/nixos/lib/as205479-web.nix index 930c05d204..733eb9a44b 100644 --- a/ops/nixos/lib/as205479-web.nix +++ b/ops/nixos/lib/as205479-web.nix @@ -1,17 +1,16 @@ { config, depot, lib, ... }: { - security.acme.certs."as205479.net" = { - dnsProvider = "gcloud"; - credentialsFile = depot.ops.secrets.gcpDNSCredentials; - dnsPropagationCheck = false; - }; services.nginx = { enable = lib.mkDefault true; virtualHosts."as205479.net" = { - useACMEHost = "as205479.net"; forceSSL = true; locations."/".root = depot.web.as205479 config.networking.hostName; }; }; + my.vault.acmeCertificates."as205479.net" = { + role = "letsencrypt-gcloud-as205479"; + extraNames = [ "www.as205479.net" ]; + nginxVirtualHosts = [ "as205479.net" ]; + }; } diff --git a/ops/nixos/lib/baserow.nix b/ops/nixos/lib/baserow.nix index 4f66c208e7..d2d7d6b1dc 100644 --- a/ops/nixos/lib/baserow.nix +++ b/ops/nixos/lib/baserow.nix @@ -148,7 +148,6 @@ in services.nginx.recommendedTlsSettings = true; services.nginx.virtualHosts = { "baserow.lukegb.com" = { - enableACME = true; forceSSL = true; extraConfig = '' proxy_read_timeout 1800s; @@ -160,7 +159,6 @@ in }; }; "api.baserow.lukegb.com" = { - enableACME = true; forceSSL = true; extraConfig = '' proxy_read_timeout 1800s; @@ -173,9 +171,7 @@ in }; }; "baserow-media.zxcvbnm.ninja" = { - enableACME = true; forceSSL = true; - root = "/var/lib/baserow/media"; locations."/user_files" = { root = "/var/lib/baserow/media"; @@ -191,6 +187,12 @@ in }; }; }; + my.vault.acmeCertificates = { + "baserow.lukegb.com" = { + extraNames = [ "api.baserow.lukegb.com" "baserow-media.zxcvbnm.ninja" ]; + nginxVirtualHosts = [ "baserow.lukegb.com" "api.baserow.lukegb.com" "baserow-media.zxcvbnm.ninja" ]; + }; + }; services.postfix = { enable = true; diff --git a/ops/nixos/lib/fup.nix b/ops/nixos/lib/fup.nix index 0b4ec71f42..ac0ad2987e 100644 --- a/ops/nixos/lib/fup.nix +++ b/ops/nixos/lib/fup.nix @@ -27,14 +27,13 @@ in ssl = true; }) config.my.fup.listen); in { - security.acme.certs."p.lukegb.com" = { - group = config.services.nginx.group; + my.vault.acmeCertificates."p.lukegb.com" = { + nginxVirtualHosts = [ "p.lukegb.com" ]; }; services.nginx = { enable = lib.mkDefault true; virtualHosts."p.lukegb.com" = { listen = nginxListen; - useACMEHost = "p.lukegb.com"; forceSSL = true; locations."/" = { proxyPass = "http://unix:${sock}"; diff --git a/ops/nixos/lib/quotes.bfob.gg.nix b/ops/nixos/lib/quotes.bfob.gg.nix index f13ebed236..0cb390e093 100644 --- a/ops/nixos/lib/quotes.bfob.gg.nix +++ b/ops/nixos/lib/quotes.bfob.gg.nix @@ -25,21 +25,19 @@ in ssl = true; }) config.my.quotesdb.listen); in { - security.acme.certs."bfob.gg" = { - group = config.services.nginx.group; - extraDomainNames = ["*.bfob.gg"]; + my.vault.acmeCertificates."bfob.gg" = { + extraNames = [ "*.bfob.gg" ]; + nginxVirtualHosts = [ "qdb.bfob.gg" "quotes.bfob.gg" "dev-quotes.bfob.gg" ]; }; services.nginx = { enable = lib.mkDefault true; virtualHosts."qdb.bfob.gg" = { listen = nginxListen; - useACMEHost = "bfob.gg"; globalRedirect = "quotes.bfob.gg"; forceSSL = true; }; virtualHosts."quotes.bfob.gg" = { listen = nginxListen; - useACMEHost = "bfob.gg"; forceSSL = true; locations."/static" = { root = "${pkg}/share"; @@ -50,7 +48,6 @@ in }; virtualHosts."dev-quotes.bfob.gg" = { listen = nginxListen; - useACMEHost = "bfob.gg"; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8000"; diff --git a/ops/nixos/lib/vault-agent-acme.nix b/ops/nixos/lib/vault-agent-acme.nix index f02ebc7d6f..bb8ef368c9 100644 --- a/ops/nixos/lib/vault-agent-acme.nix +++ b/ops/nixos/lib/vault-agent-acme.nix @@ -4,7 +4,9 @@ { pkgs, config, depot, lib, ... }: let - inherit (lib) mkOption types mkBefore optionalAttrs; + inherit (lib) mkOption types mkBefore optionalAttrs mkDefault; + + acmeCertificates = lib.mapAttrsToList (name: cOrig: cOrig // { inherit name; }) config.my.vault.acmeCertificates; # Work out where we're being asked to write things, and which groups, so we can correctly get permissions. fullchainPath = c: pathFor c.fullchain c "fullchain.pem"; @@ -12,7 +14,17 @@ let keyPath = c: pathFor c.key c "privkey.pem"; pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path; - acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates)); + isNginx = c: builtins.length c.nginxVirtualHosts > 0; + defaultGroup = c: if isNull c.group then if isNginx c then "nginx" else "acme" else c.group; + groupOrDefault = p: c: if isNull p then defaultGroup c else p; + + reloadOrRestartUnits = c: (lib.optional (isNginx c) "nginx.service") ++ c.reloadOrRestartUnits; + + acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ + (groupOrDefault c.fullchain.group c) + (groupOrDefault c.chain.group c) + (groupOrDefault c.key.group c) + ]) acmeCertificates)); acmeCertificatesTemplate = builtins.concatMap (c: let secretStanza = '' @@ -27,14 +39,16 @@ let ''; destination = fullchainPath c; perms = c.fullchain.mode; - command = pkgs.writeShellScript "post-${c.name}-crt" '' + command = let + grp = groupOrDefault c.fullchain.group c; + in pkgs.writeShellScript "post-${c.name}-crt" '' sleep 1s # Cheap hack... - ${lib.optionalString (c.fullchain.group != "") '' - chgrp "${c.fullchain.group}" "${fullchainPath c}" + ${lib.optionalString (grp != "") '' + chgrp "${grp}" "${fullchainPath c}" ''} ${lib.concatMapStringsSep "\n" (x: '' /run/current-system/sw/bin/systemctl reload-or-restart ${x} - '') c.reloadOrRestartUnits} + '') (reloadOrRestartUnits c)} ${lib.concatMapStringsSep "\n" (x: '' /run/current-system/sw/bin/systemctl restart ${x} '') c.restartUnits} @@ -48,9 +62,11 @@ let ''; destination = chainPath c; perms = c.chain.mode; - command = pkgs.writeShellScript "post-${c.name}-chain" '' - ${lib.optionalString (c.chain.group != "") '' - chgrp "${c.chain.group}" "${chainPath c}" + command = let + grp = groupOrDefault c.chain.group c; + in pkgs.writeShellScript "post-${c.name}-chain" '' + ${lib.optionalString (grp != "") '' + chgrp "${grp}" "${chainPath c}" ''} ''; } { @@ -61,13 +77,15 @@ let ''; destination = keyPath c; perms = c.key.mode; - command = pkgs.writeShellScript "post-${c.name}-key" '' - ${lib.optionalString (c.key.group != "") '' - chgrp "${c.key.group}" "${keyPath c}" + command = let + grp = groupOrDefault c.key.group c; + in pkgs.writeShellScript "post-${c.name}-key" '' + ${lib.optionalString (grp != "") '' + chgrp "${grp}" "${keyPath c}" ''} ''; } - ]) config.my.vault.acmeCertificates; + ]) acmeCertificates; acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c: let @@ -75,21 +93,25 @@ let chainDir = dirOf (chainPath c); keyDir = dirOf (keyPath c); - dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null; + fullchainGroup = groupOrDefault c.fullchain.group c; + chainGroup = groupOrDefault c.chain.group c; + keyGroup = groupOrDefault c.key.group c; - fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup; - chainDirGroup = if isNull dirGroup then c.chain.group else dirGroup; - keyDirGroup = if isNull dirGroup then c.key.group else dirGroup; + dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if fullchainGroup == keyGroup && fullchainGroup == chainGroup then fullchainGroup else "-" else null; + + fullchainDirGroup = if isNull dirGroup then fullchainGroup else dirGroup; + chainDirGroup = if isNull dirGroup then chainGroup else dirGroup; + keyDirGroup = if isNull dirGroup then keyGroup else dirGroup; in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -" ++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -" ++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -" - ) config.my.vault.acmeCertificates); + ) acmeCertificates); - allRestartableUnits = lib.unique (builtins.concatMap (c: c.reloadOrRestartUnits ++ c.restartUnits) config.my.vault.acmeCertificates); + allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates); in { options.my.vault.acmeCertificates = mkOption { - type = with types; listOf (submodule { + type = with types; attrsOf (submodule { options = let fileType = what: defaultMode: submodule { options = { @@ -105,9 +127,9 @@ in }; group = mkOption { - type = str; - default = "acme"; - description = "Owner group to set for the ${what}."; + type = nullOr str; + default = null; + description = "Owner group to set for the ${what}. If null, taken from parent."; }; makeDir = mkOption { @@ -123,10 +145,6 @@ in default = "letsencrypt-cloudflare"; description = "Which role to use for certificate issuance."; }; - name = mkOption { - type = str; - description = "First hostname for the certificate."; - }; extraNames = mkOption { type = listOf str; default = []; @@ -149,6 +167,18 @@ in description = "List of systemd units to restart after obtaining a new certificate."; }; + nginxVirtualHosts = mkOption { + type = listOf str; + default = []; + description = "List of nginx virtual hosts to apply SSL to."; + }; + + group = mkOption { + type = nullOr str; + default = null; + description = "Owner group to set for the generated files. Defaults to 'acme' unless nginxVirtualHosts is set, in which case it defaults to 'nginx'."; + }; + fullchain = mkOption { type = fileType "certificate's full chain" "0644"; default = {}; @@ -163,7 +193,7 @@ in }; }; }); - default = []; + default = {}; }; config = { @@ -181,6 +211,18 @@ in tmpfiles.rules = acmeCertificatesTmpdirs; }; + services.nginx = optionalAttrs config.my.vault.enable { + virtualHosts = builtins.listToAttrs (builtins.concatMap (certData: let + fullchain = fullchainPath certData; + chain = chainPath certData; + key = keyPath certData; + in map (hostName: lib.nameValuePair hostName { + sslCertificate = mkDefault (fullchainPath certData); + sslCertificateKey = mkDefault (keyPath certData); + sslTrustedCertificate = mkDefault (chainPath certData); + }) certData.nginxVirtualHosts) acmeCertificates); + }; + security.polkit.extraConfig = lib.mkAfter '' // NixOS module: depot/lib/vault-agent-acme.nix polkit.addRule(function(action, subject) { diff --git a/ops/nixos/totoro/default.nix b/ops/nixos/totoro/default.nix index 692a8a2ad9..f5486424c0 100644 --- a/ops/nixos/totoro/default.nix +++ b/ops/nixos/totoro/default.nix @@ -186,7 +186,6 @@ in { }; in { root = "/srv/pancake/public_html"; - useACMEHost = "invoices.lukegb.com"; forceSSL = true; locations."/" = { tryFiles = "$uri $uri/ @router"; @@ -201,7 +200,6 @@ in { }; "plex-totoro.lukegb.com" = { - enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://localhost:32400/"; @@ -241,18 +239,6 @@ in { }]; }; - security.acme = { - certs."invoices.lukegb.com" = { - domain = "invoices.lukegb.com"; - postRun = '' - systemctl reload nginx - ''; - }; - certs."trains.lukegb.com" = { - domain = "trains.lukegb.com"; - }; - }; - services.prometheus = { enable = true; stateDir = "export/monitoring/prometheus"; @@ -557,17 +543,10 @@ in { }; }; - my.vault.acmeCertificates = [ - { - name = "lukegb.com"; - role = "lukegb.com-staging"; - extraNames = [ "*.lukegb.com" "*.int.lukegb.com" ]; - restartUnits = [ "nginx.service" ]; - #certificate.path = "/tmp/lukegb.com.crt"; - #key.path = "/tmp/lukegb.com.key"; - key.group = "acme"; - } - ]; + my.vault.acmeCertificates = { + "plex-totoro.lukegb.com" = { nginxVirtualHosts = [ "plex-totoro.lukegb.com" ]; }; + "invoices.lukegb.com" = { nginxVirtualHosts = [ "invoices.lukegb.com" ]; }; + }; system.stateVersion = "20.03"; } diff --git a/ops/nixos/totoro/home-assistant.nix b/ops/nixos/totoro/home-assistant.nix index f55b054f29..b2c7c2bd33 100644 --- a/ops/nixos/totoro/home-assistant.nix +++ b/ops/nixos/totoro/home-assistant.nix @@ -133,20 +133,14 @@ in { }; }; - security.acme.certs."ha.lukegb.com" = { - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; - domain = "ha.lukegb.com"; - postRun = '' - systemctl reload nginx - ''; - }; services.nginx.virtualHosts."ha.lukegb.com" = { forceSSL = true; - useACMEHost = "ha.lukegb.com"; locations."/" = { proxyPass = "http://localhost:8123/"; proxyWebsockets = true; }; }; + my.vault.acmeCertificates."ha.lukegb.com" = { + nginxVirtualHosts = [ "ha.lukegb.com" ]; + }; }