ops/nixos: migrate everything to vault-agent-acme

ops/nixos/blade-tuvok/default.nix

@@ -69,7 +69,6 @@ in {
     recommendedTlsSettings = true;
     recommendedGzipSettings = true;
     virtualHosts."objdump.zxcvbnm.ninja" = {
-      useACMEHost = "objdump.zxcvbnm.ninja";
       default = true;
       forceSSL = true;
       locations."/" = {
@@ -82,11 +81,9 @@ in {
       };
     };
   };
-  security.acme.certs."objdump.zxcvbnm.ninja" = {
+  my.vault.acmeCertificates."objdump.zxcvbnm.ninja" = {
-    group = config.services.nginx.group;
+    extraNames = [ "*.objdump.zxcvbnm.ninja" ];
-    extraDomainNames = [
+    nginxVirtualHosts = [ "objdump.zxcvbnm.ninja" ];
-      "*.objdump.zxcvbnm.ninja"
-    ];
   };
   my.fup.listen = [
     "0.0.0.0" "[::]"

ops/nixos/bvm-matrix/default.nix

@@ -58,8 +58,8 @@ in {
     use-auth-secret = true;
     realm = "matrix.zxcvbnm.ninja";
     static-auth-secret = machineSecrets.turnSecret;
-    cert = "${config.security.acme.certs."matrix.zxcvbnm.ninja".directory}/fullchain.pem";
+    cert = "/var/lib/acme/matrix.zxcvbnm.ninja/fullchain.pem";
-    pkey = "${config.security.acme.certs."matrix.zxcvbnm.ninja".directory}/key.pem";
+    pkey = "/var/lib/acme/matrix.zxcvbnm.ninja/privkey.pem";
   };
   services.nginx = {
     enable = true;
@@ -71,7 +71,6 @@ in {
     virtualHosts = {
       "zxcvbnm.ninja" = {
         forceSSL = true;
-        useACMEHost = "matrix.zxcvbnm.ninja";
         locations = let
           inherit (lib) mapAttrs' nameValuePair;
           wellKnown = {
@@ -90,13 +89,11 @@ in {
       };
       "matrix.zxcvbnm.ninja" = {
         forceSSL = true;
-        useACMEHost = "matrix.zxcvbnm.ninja";
         locations."/".return = "301 https://element.zxcvbnm.ninja$request_uri";
         locations."/_matrix".proxyPass = "http://[::1]:8008";
       };
       "element.zxcvbnm.ninja" = {
         forceSSL = true;
-        useACMEHost = "matrix.zxcvbnm.ninja";
         extraConfig = ''
           add_header X-Frame-Options SAMEORIGIN;
           add_header X-Content-Type-Options nosniff;
@@ -168,9 +165,10 @@ in {
     members = [ "turnserver" "nginx" ];
   };
 
-  security.acme.certs."matrix.zxcvbnm.ninja" = {
+  my.vault.acmeCertificates."matrix.zxcvbnm.ninja" = {
     group = "matrixcert";
-    extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
+    extraNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
+    nginxVirtualHosts = [ "zxcvbnm.ninja" "element.zxcvbnm.ninja" "matrix.zxcvbnm.ninja" ];
   };
 
   system.stateVersion = "21.05";

ops/nixos/bvm-prosody/default.nix

@@ -36,8 +36,8 @@ in {
     use-auth-secret = true;
     realm = "turn.lukegb.com";
     static-auth-secret = machineSecrets.turnSecret;
-    cert = "${config.security.acme.certs."turn.lukegb.com".directory}/fullchain.pem";
+    cert = "/var/lib/acme/turn.lukegb.com/fullchain.pem";
-    pkey = "${config.security.acme.certs."turn.lukegb.com".directory}/key.pem";
+    pkey = "/var/lib/acme/turn.lukegb.com/privkey.pem";
   };
 
   services.prosody = {
@@ -50,8 +50,8 @@ in {
     virtualHosts."lukegb.com" = {
       enabled = true;
       domain = "lukegb.com";
-      ssl.cert = "${config.security.acme.certs."xmpp.lukegb.com".directory}/fullchain.pem";
+      ssl.cert = "/var/lib/acme/xmpp.lukegb.com/fullchain.pem";
-      ssl.key = "${config.security.acme.certs."xmpp.lukegb.com".directory}/key.pem";
+      ssl.key = "/var/lib/acme/xmpp.lukegb.com/privkey.pem";
     };
     muc = [{
       domain = "muc.xmpp.lukegb.com";
@@ -86,12 +86,12 @@ in {
     '';
   };
 
-  security.acme = {
+  my.vault.acmeCertificates = {
-    certs."xmpp.lukegb.com" = {
+    "xmpp.lukegb.com" = {
       group = "prosody";
-      extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
+      extraNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
     };
-    certs."turn.lukegb.com" = {
+    "turn.lukegb.com" = {
       group = "turnserver";
     };
   };

ops/nixos/bvm-radius/default.nix

@@ -54,14 +54,9 @@ in {
   };
   my.ip.tailscale = "100.120.98.116";
 
-  security.acme.certs."as205479.net" = {
+  my.vault.acmeCertificates."as205479.net" = {
-    extraDomainNames = [ "www.as205479.net" ];
+    group = "acme";
-    dnsProvider = "gcloud";
+    reloadOrRestartUnits = [ "freeradius.service" ];
-    credentialsFile = secrets.gcpDNSCredentials;
-    dnsPropagationCheck = false;
-    postRun = ''
-      systemctl restart freeradius
-    '';
   };
   users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
 

ops/nixos/bvm-radius/raddb/mods-available/eap-custom

@@ -110,7 +110,7 @@ eap {
 	#
 	tls-config tls-common {
 		#private_key_password = whatever
-		private_key_file = /var/lib/acme/as205479.net/key.pem
+		private_key_file = /var/lib/acme/as205479.net/privkey.pem
 
 		#  If Private key & Certificate are located in
 		#  the same file, then private_key_file &

ops/nixos/clouvider-lon01/default.nix

@@ -192,11 +192,9 @@ in {
     dataDir = "/persist/etc/znc";
     useLegacyConfig = false;
   };
-  security.acme.certs."znc.lukegb.com" = {
+  my.vault.acmeCertificates."znc.lukegb.com" = {
-    dnsProvider = null;
+    extraNames = [ "akiichiro.lukegb.com" ];
-    webroot = "/var/lib/acme/.challenges";
     group = "znc-acme";
-    extraDomainNames = ["akiichiro.lukegb.com"];
   };
   services.nginx = {
     enable = true;

ops/nixos/etheroute-lon01/default.nix

@@ -251,7 +251,6 @@ in {
   services.pomerium = {
     enable = true;
     secretsFile = machineSecrets.pomeriumSecrets;
-    useACMEHost = "int.lukegb.com";
 
     settings = {
       address = ":443";
@@ -280,6 +279,10 @@ in {
       authenticate_service_url = "https://auth.int.lukegb.com";
       signout_redirect_url = "https://logged-out.int.lukegb.com";
 
+      certificates = [
+        { cert = "/var/lib/acme/lukegb.com/fullchain.pem"; key = "/var/lib/acme/lukegb.com/privkey.pem"; }
+      ];
+
       policy = let
         baseConfig = {
           allowed_domains = [ "lukegb.com" ];
@@ -344,18 +347,18 @@ in {
   systemd.services.pomerium = {
     wants = lib.mkAfter [ "redis.service" ];
     after = lib.mkAfter [ "redis.service" ];
+    serviceConfig = {
+      SupplementaryGroups = [ "acme" ];
+      ReadOnlyPaths = [ "/var/lib/acme" ];
     };
-  security.acme.certs."int.lukegb.com" = {
+  };
-    domain = "*.int.lukegb.com";
+  my.vault.acmeCertificates."lukegb.com" = {
-    extraDomainNames = [
+    extraNames = [
-      # "int.lukegb.com"  # redundant with *.lukegb.com
       "lukegb.com"
       "*.lukegb.com"
       "objdump.zxcvbnm.ninja"
     ];
-    postRun = ''
+    reloadOrRestartUnits = [ "pomerium.service" ];
-      systemctl restart pomerium
-    '';
   };
 
   system.stateVersion = "20.09";

ops/nixos/lib/as205479-web.nix

@@ -1,17 +1,16 @@
 { config, depot, lib, ... }:
 
 {
-  security.acme.certs."as205479.net" = {
-    dnsProvider = "gcloud";
-    credentialsFile = depot.ops.secrets.gcpDNSCredentials;
-    dnsPropagationCheck = false;
-  };
   services.nginx = {
     enable = lib.mkDefault true;
     virtualHosts."as205479.net" = {
-      useACMEHost = "as205479.net";
       forceSSL = true;
       locations."/".root = depot.web.as205479 config.networking.hostName;
     };
   };
+  my.vault.acmeCertificates."as205479.net" = {
+    role = "letsencrypt-gcloud-as205479";
+    extraNames = [ "www.as205479.net" ];
+    nginxVirtualHosts = [ "as205479.net" ];
+  };
 }

ops/nixos/lib/baserow.nix

@@ -148,7 +148,6 @@ in
   services.nginx.recommendedTlsSettings = true;
   services.nginx.virtualHosts = {
     "baserow.lukegb.com" = {
-      enableACME = true;
       forceSSL = true;
       extraConfig = ''
         proxy_read_timeout 1800s;
@@ -160,7 +159,6 @@ in
       };
     };
     "api.baserow.lukegb.com" = {
-      enableACME = true;
       forceSSL = true;
       extraConfig = ''
         proxy_read_timeout 1800s;
@@ -173,9 +171,7 @@ in
       };
     };
     "baserow-media.zxcvbnm.ninja" = {
-      enableACME = true;
       forceSSL = true;
-
       root = "/var/lib/baserow/media";
       locations."/user_files" = {
         root = "/var/lib/baserow/media";
@@ -191,6 +187,12 @@ in
       };
     };
   };
+  my.vault.acmeCertificates = {
+    "baserow.lukegb.com" = {
+      extraNames = [ "api.baserow.lukegb.com" "baserow-media.zxcvbnm.ninja" ];
+      nginxVirtualHosts = [ "baserow.lukegb.com" "api.baserow.lukegb.com" "baserow-media.zxcvbnm.ninja" ];
+    };
+  };
 
   services.postfix = {
     enable = true;

ops/nixos/lib/fup.nix

@@ -27,14 +27,13 @@ in
       ssl = true;
     }) config.my.fup.listen);
   in {
-    security.acme.certs."p.lukegb.com" = {
+    my.vault.acmeCertificates."p.lukegb.com" = {
-      group = config.services.nginx.group;
+      nginxVirtualHosts = [ "p.lukegb.com" ];
     };
     services.nginx = {
       enable = lib.mkDefault true;
       virtualHosts."p.lukegb.com" = {
         listen = nginxListen;
-        useACMEHost = "p.lukegb.com";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://unix:${sock}";

ops/nixos/lib/quotes.bfob.gg.nix

@@ -25,21 +25,19 @@ in
       ssl = true;
     }) config.my.quotesdb.listen);
   in {
-    security.acme.certs."bfob.gg" = {
+    my.vault.acmeCertificates."bfob.gg" = {
-      group = config.services.nginx.group;
+      extraNames = [ "*.bfob.gg" ];
-      extraDomainNames = ["*.bfob.gg"];
+      nginxVirtualHosts = [ "qdb.bfob.gg" "quotes.bfob.gg" "dev-quotes.bfob.gg" ];
     };
     services.nginx = {
       enable = lib.mkDefault true;
       virtualHosts."qdb.bfob.gg" = {
         listen = nginxListen;
-        useACMEHost = "bfob.gg";
         globalRedirect = "quotes.bfob.gg";
         forceSSL = true;
       };
       virtualHosts."quotes.bfob.gg" = {
         listen = nginxListen;
-        useACMEHost = "bfob.gg";
         forceSSL = true;
         locations."/static" = {
           root = "${pkg}/share";
@@ -50,7 +48,6 @@ in
       };
       virtualHosts."dev-quotes.bfob.gg" = {
         listen = nginxListen;
-        useACMEHost = "bfob.gg";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:8000";

ops/nixos/lib/vault-agent-acme.nix

@@ -4,7 +4,9 @@
 
 { pkgs, config, depot, lib, ... }:
 let
-  inherit (lib) mkOption types mkBefore optionalAttrs;
+  inherit (lib) mkOption types mkBefore optionalAttrs mkDefault;
+
+  acmeCertificates = lib.mapAttrsToList (name: cOrig: cOrig // { inherit name; }) config.my.vault.acmeCertificates;
 
   # Work out where we're being asked to write things, and which groups, so we can correctly get permissions.
   fullchainPath = c: pathFor c.fullchain c "fullchain.pem";
@@ -12,7 +14,17 @@ let
   keyPath = c: pathFor c.key c "privkey.pem";
   pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path;
 
-  acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates));
+  isNginx = c: builtins.length c.nginxVirtualHosts > 0;
+  defaultGroup = c: if isNull c.group then if isNginx c then "nginx" else "acme" else c.group;
+  groupOrDefault = p: c: if isNull p then defaultGroup c else p;
+
+  reloadOrRestartUnits = c: (lib.optional (isNginx c) "nginx.service") ++ c.reloadOrRestartUnits;
+
+  acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [
+    (groupOrDefault c.fullchain.group c)
+    (groupOrDefault c.chain.group c)
+    (groupOrDefault c.key.group c)
+  ]) acmeCertificates));
 
   acmeCertificatesTemplate = builtins.concatMap (c: let
     secretStanza = ''
@@ -27,14 +39,16 @@ let
       '';
       destination = fullchainPath c;
       perms = c.fullchain.mode;
-      command = pkgs.writeShellScript "post-${c.name}-crt" ''
+      command = let
+        grp = groupOrDefault c.fullchain.group c;
+      in pkgs.writeShellScript "post-${c.name}-crt" ''
         sleep 1s  # Cheap hack...
-        ${lib.optionalString (c.fullchain.group != "") ''
+        ${lib.optionalString (grp != "") ''
-          chgrp "${c.fullchain.group}" "${fullchainPath c}"
+          chgrp "${grp}" "${fullchainPath c}"
         ''}
         ${lib.concatMapStringsSep "\n" (x: ''
           /run/current-system/sw/bin/systemctl reload-or-restart ${x}
-        '') c.reloadOrRestartUnits}
+        '') (reloadOrRestartUnits c)}
         ${lib.concatMapStringsSep "\n" (x: ''
           /run/current-system/sw/bin/systemctl restart ${x}
         '') c.restartUnits}
@@ -48,9 +62,11 @@ let
       '';
       destination = chainPath c;
       perms = c.chain.mode;
-      command = pkgs.writeShellScript "post-${c.name}-chain" ''
+      command = let
-        ${lib.optionalString (c.chain.group != "") ''
+        grp = groupOrDefault c.chain.group c;
-          chgrp "${c.chain.group}" "${chainPath c}"
+      in pkgs.writeShellScript "post-${c.name}-chain" ''
+        ${lib.optionalString (grp != "") ''
+          chgrp "${grp}" "${chainPath c}"
         ''}
       '';
     } {
@@ -61,13 +77,15 @@ let
       '';
       destination = keyPath c;
       perms = c.key.mode;
-      command = pkgs.writeShellScript "post-${c.name}-key" ''
+      command = let
-        ${lib.optionalString (c.key.group != "") ''
+        grp = groupOrDefault c.key.group c;
-          chgrp "${c.key.group}" "${keyPath c}"
+      in pkgs.writeShellScript "post-${c.name}-key" ''
+        ${lib.optionalString (grp != "") ''
+          chgrp "${grp}" "${keyPath c}"
         ''}
       '';
     }
-  ]) config.my.vault.acmeCertificates;
+  ]) acmeCertificates;
 
   acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
     let
@@ -75,21 +93,25 @@ let
       chainDir     = dirOf (chainPath c);
       keyDir       = dirOf (keyPath c);
 
-      dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null;
+      fullchainGroup = groupOrDefault c.fullchain.group c;
+      chainGroup     = groupOrDefault c.chain.group c;
+      keyGroup       = groupOrDefault c.key.group c;
 
-      fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup;
+      dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if fullchainGroup == keyGroup && fullchainGroup == chainGroup then fullchainGroup else "-" else null;
-      chainDirGroup     = if isNull dirGroup then c.chain.group else dirGroup;
+
-      keyDirGroup       = if isNull dirGroup then c.key.group else dirGroup;
+      fullchainDirGroup = if isNull dirGroup then fullchainGroup else dirGroup;
+      chainDirGroup     = if isNull dirGroup then chainGroup else dirGroup;
+      keyDirGroup       = if isNull dirGroup then keyGroup else dirGroup;
     in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
     ++ lib.optional c.chain.makeDir     "d ${chainDir}     0750 vault-agent ${chainDirGroup}     - -"
     ++ lib.optional c.key.makeDir       "d ${keyDir}       0750 vault-agent ${keyDirGroup}       - -"
-  ) config.my.vault.acmeCertificates);
+  ) acmeCertificates);
 
-  allRestartableUnits = lib.unique (builtins.concatMap (c: c.reloadOrRestartUnits ++ c.restartUnits) config.my.vault.acmeCertificates);
+  allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates);
 in
 {
   options.my.vault.acmeCertificates = mkOption {
-    type = with types; listOf (submodule {
+    type = with types; attrsOf (submodule {
       options = let
         fileType = what: defaultMode: submodule {
           options = {
@@ -105,9 +127,9 @@ in
             };
 
             group = mkOption {
-              type = str;
+              type = nullOr str;
-              default = "acme";
+              default = null;
-              description = "Owner group to set for the ${what}.";
+              description = "Owner group to set for the ${what}. If null, taken from parent.";
             };
 
             makeDir = mkOption {
@@ -123,10 +145,6 @@ in
           default = "letsencrypt-cloudflare";
           description = "Which role to use for certificate issuance.";
         };
-        name = mkOption {
-          type = str;
-          description = "First hostname for the certificate.";
-        };
         extraNames = mkOption {
           type = listOf str;
           default = [];
@@ -149,6 +167,18 @@ in
           description = "List of systemd units to restart after obtaining a new certificate.";
         };
 
+        nginxVirtualHosts = mkOption {
+          type = listOf str;
+          default = [];
+          description = "List of nginx virtual hosts to apply SSL to.";
+        };
+
+        group = mkOption {
+          type = nullOr str;
+          default = null;
+          description = "Owner group to set for the generated files. Defaults to 'acme' unless nginxVirtualHosts is set, in which case it defaults to 'nginx'.";
+        };
+
         fullchain = mkOption {
           type = fileType "certificate's full chain" "0644";
           default = {};
@@ -163,7 +193,7 @@ in
         };
       };
     });
-    default = [];
+    default = {};
   };
 
   config = {
@@ -181,6 +211,18 @@ in
       tmpfiles.rules = acmeCertificatesTmpdirs;
     };
 
+    services.nginx = optionalAttrs config.my.vault.enable {
+      virtualHosts = builtins.listToAttrs (builtins.concatMap (certData: let
+        fullchain = fullchainPath certData;
+        chain     = chainPath certData;
+        key       = keyPath certData;
+      in map (hostName: lib.nameValuePair hostName {
+        sslCertificate        = mkDefault (fullchainPath certData);
+        sslCertificateKey     = mkDefault (keyPath certData);
+        sslTrustedCertificate = mkDefault (chainPath certData);
+      }) certData.nginxVirtualHosts) acmeCertificates);
+    };
+
     security.polkit.extraConfig = lib.mkAfter ''
       // NixOS module: depot/lib/vault-agent-acme.nix
       polkit.addRule(function(action, subject) {

ops/nixos/totoro/default.nix

@@ -186,7 +186,6 @@ in {
         };
       in {
         root = "/srv/pancake/public_html";
-        useACMEHost = "invoices.lukegb.com";
         forceSSL = true;
         locations."/" = {
           tryFiles = "$uri $uri/ @router";
@@ -201,7 +200,6 @@ in {
       };
 
       "plex-totoro.lukegb.com" = {
-        enableACME = true;
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:32400/";
@@ -241,18 +239,6 @@ in {
     }];
   };
 
-  security.acme = {
-    certs."invoices.lukegb.com" = {
-      domain = "invoices.lukegb.com";
-      postRun = ''
-        systemctl reload nginx
-      '';
-    };
-    certs."trains.lukegb.com" = {
-      domain = "trains.lukegb.com";
-    };
-  };
-
   services.prometheus = {
     enable = true;
     stateDir = "export/monitoring/prometheus";
@@ -557,17 +543,10 @@ in {
     };
   };
 
-  my.vault.acmeCertificates = [
+  my.vault.acmeCertificates = {
-    {
+    "plex-totoro.lukegb.com" = { nginxVirtualHosts = [ "plex-totoro.lukegb.com" ]; };
-      name = "lukegb.com";
+    "invoices.lukegb.com"    = { nginxVirtualHosts = [ "invoices.lukegb.com" ]; };
-      role = "lukegb.com-staging";
+  };
-      extraNames = [ "*.lukegb.com" "*.int.lukegb.com" ];
-      restartUnits = [ "nginx.service" ];
-      #certificate.path = "/tmp/lukegb.com.crt";
-      #key.path = "/tmp/lukegb.com.key";
-      key.group = "acme";
-    }
-  ];
 
   system.stateVersion = "20.03";
 }

ops/nixos/totoro/home-assistant.nix

@@ -133,20 +133,14 @@ in {
     };
   };
 
-  security.acme.certs."ha.lukegb.com" = {
-    dnsProvider = "cloudflare";
-    credentialsFile = secrets.cloudflareCredentials;
-    domain = "ha.lukegb.com";
-    postRun = ''
-      systemctl reload nginx
-    '';
-  };
   services.nginx.virtualHosts."ha.lukegb.com" = {
     forceSSL = true;
-    useACMEHost = "ha.lukegb.com";
     locations."/" = {
       proxyPass = "http://localhost:8123/";
       proxyWebsockets = true;
     };
   };
+  my.vault.acmeCertificates."ha.lukegb.com" = {
+    nginxVirtualHosts = [ "ha.lukegb.com" ];
+  };
 }