ops/nixos: migrate everything to vault-agent-acme

This commit is contained in:
Luke Granger-Brown 2022-03-07 00:52:03 +00:00
parent 0c7f785107
commit daccfa5717
14 changed files with 126 additions and 123 deletions

View file

@ -69,7 +69,6 @@ in {
recommendedTlsSettings = true;
recommendedGzipSettings = true;
virtualHosts."objdump.zxcvbnm.ninja" = {
useACMEHost = "objdump.zxcvbnm.ninja";
default = true;
forceSSL = true;
locations."/" = {
@ -82,11 +81,9 @@ in {
};
};
};
security.acme.certs."objdump.zxcvbnm.ninja" = {
group = config.services.nginx.group;
extraDomainNames = [
"*.objdump.zxcvbnm.ninja"
];
my.vault.acmeCertificates."objdump.zxcvbnm.ninja" = {
extraNames = [ "*.objdump.zxcvbnm.ninja" ];
nginxVirtualHosts = [ "objdump.zxcvbnm.ninja" ];
};
my.fup.listen = [
"0.0.0.0" "[::]"

View file

@ -58,8 +58,8 @@ in {
use-auth-secret = true;
realm = "matrix.zxcvbnm.ninja";
static-auth-secret = machineSecrets.turnSecret;
cert = "${config.security.acme.certs."matrix.zxcvbnm.ninja".directory}/fullchain.pem";
pkey = "${config.security.acme.certs."matrix.zxcvbnm.ninja".directory}/key.pem";
cert = "/var/lib/acme/matrix.zxcvbnm.ninja/fullchain.pem";
pkey = "/var/lib/acme/matrix.zxcvbnm.ninja/privkey.pem";
};
services.nginx = {
enable = true;
@ -71,7 +71,6 @@ in {
virtualHosts = {
"zxcvbnm.ninja" = {
forceSSL = true;
useACMEHost = "matrix.zxcvbnm.ninja";
locations = let
inherit (lib) mapAttrs' nameValuePair;
wellKnown = {
@ -90,13 +89,11 @@ in {
};
"matrix.zxcvbnm.ninja" = {
forceSSL = true;
useACMEHost = "matrix.zxcvbnm.ninja";
locations."/".return = "301 https://element.zxcvbnm.ninja$request_uri";
locations."/_matrix".proxyPass = "http://[::1]:8008";
};
"element.zxcvbnm.ninja" = {
forceSSL = true;
useACMEHost = "matrix.zxcvbnm.ninja";
extraConfig = ''
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
@ -168,9 +165,10 @@ in {
members = [ "turnserver" "nginx" ];
};
security.acme.certs."matrix.zxcvbnm.ninja" = {
my.vault.acmeCertificates."matrix.zxcvbnm.ninja" = {
group = "matrixcert";
extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
extraNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
nginxVirtualHosts = [ "zxcvbnm.ninja" "element.zxcvbnm.ninja" "matrix.zxcvbnm.ninja" ];
};
system.stateVersion = "21.05";

View file

@ -36,8 +36,8 @@ in {
use-auth-secret = true;
realm = "turn.lukegb.com";
static-auth-secret = machineSecrets.turnSecret;
cert = "${config.security.acme.certs."turn.lukegb.com".directory}/fullchain.pem";
pkey = "${config.security.acme.certs."turn.lukegb.com".directory}/key.pem";
cert = "/var/lib/acme/turn.lukegb.com/fullchain.pem";
pkey = "/var/lib/acme/turn.lukegb.com/privkey.pem";
};
services.prosody = {
@ -50,8 +50,8 @@ in {
virtualHosts."lukegb.com" = {
enabled = true;
domain = "lukegb.com";
ssl.cert = "${config.security.acme.certs."xmpp.lukegb.com".directory}/fullchain.pem";
ssl.key = "${config.security.acme.certs."xmpp.lukegb.com".directory}/key.pem";
ssl.cert = "/var/lib/acme/xmpp.lukegb.com/fullchain.pem";
ssl.key = "/var/lib/acme/xmpp.lukegb.com/privkey.pem";
};
muc = [{
domain = "muc.xmpp.lukegb.com";
@ -86,12 +86,12 @@ in {
'';
};
security.acme = {
certs."xmpp.lukegb.com" = {
my.vault.acmeCertificates = {
"xmpp.lukegb.com" = {
group = "prosody";
extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
extraNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
};
certs."turn.lukegb.com" = {
"turn.lukegb.com" = {
group = "turnserver";
};
};

View file

@ -54,14 +54,9 @@ in {
};
my.ip.tailscale = "100.120.98.116";
security.acme.certs."as205479.net" = {
extraDomainNames = [ "www.as205479.net" ];
dnsProvider = "gcloud";
credentialsFile = secrets.gcpDNSCredentials;
dnsPropagationCheck = false;
postRun = ''
systemctl restart freeradius
'';
my.vault.acmeCertificates."as205479.net" = {
group = "acme";
reloadOrRestartUnits = [ "freeradius.service" ];
};
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];

View file

@ -110,7 +110,7 @@ eap {
#
tls-config tls-common {
#private_key_password = whatever
private_key_file = /var/lib/acme/as205479.net/key.pem
private_key_file = /var/lib/acme/as205479.net/privkey.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &

View file

@ -192,11 +192,9 @@ in {
dataDir = "/persist/etc/znc";
useLegacyConfig = false;
};
security.acme.certs."znc.lukegb.com" = {
dnsProvider = null;
webroot = "/var/lib/acme/.challenges";
my.vault.acmeCertificates."znc.lukegb.com" = {
extraNames = [ "akiichiro.lukegb.com" ];
group = "znc-acme";
extraDomainNames = ["akiichiro.lukegb.com"];
};
services.nginx = {
enable = true;

View file

@ -251,7 +251,6 @@ in {
services.pomerium = {
enable = true;
secretsFile = machineSecrets.pomeriumSecrets;
useACMEHost = "int.lukegb.com";
settings = {
address = ":443";
@ -280,6 +279,10 @@ in {
authenticate_service_url = "https://auth.int.lukegb.com";
signout_redirect_url = "https://logged-out.int.lukegb.com";
certificates = [
{ cert = "/var/lib/acme/lukegb.com/fullchain.pem"; key = "/var/lib/acme/lukegb.com/privkey.pem"; }
];
policy = let
baseConfig = {
allowed_domains = [ "lukegb.com" ];
@ -344,18 +347,18 @@ in {
systemd.services.pomerium = {
wants = lib.mkAfter [ "redis.service" ];
after = lib.mkAfter [ "redis.service" ];
serviceConfig = {
SupplementaryGroups = [ "acme" ];
ReadOnlyPaths = [ "/var/lib/acme" ];
};
};
security.acme.certs."int.lukegb.com" = {
domain = "*.int.lukegb.com";
extraDomainNames = [
# "int.lukegb.com" # redundant with *.lukegb.com
my.vault.acmeCertificates."lukegb.com" = {
extraNames = [
"lukegb.com"
"*.lukegb.com"
"objdump.zxcvbnm.ninja"
];
postRun = ''
systemctl restart pomerium
'';
reloadOrRestartUnits = [ "pomerium.service" ];
};
system.stateVersion = "20.09";

View file

@ -1,17 +1,16 @@
{ config, depot, lib, ... }:
{
security.acme.certs."as205479.net" = {
dnsProvider = "gcloud";
credentialsFile = depot.ops.secrets.gcpDNSCredentials;
dnsPropagationCheck = false;
};
services.nginx = {
enable = lib.mkDefault true;
virtualHosts."as205479.net" = {
useACMEHost = "as205479.net";
forceSSL = true;
locations."/".root = depot.web.as205479 config.networking.hostName;
};
};
my.vault.acmeCertificates."as205479.net" = {
role = "letsencrypt-gcloud-as205479";
extraNames = [ "www.as205479.net" ];
nginxVirtualHosts = [ "as205479.net" ];
};
}

View file

@ -148,7 +148,6 @@ in
services.nginx.recommendedTlsSettings = true;
services.nginx.virtualHosts = {
"baserow.lukegb.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_read_timeout 1800s;
@ -160,7 +159,6 @@ in
};
};
"api.baserow.lukegb.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_read_timeout 1800s;
@ -173,9 +171,7 @@ in
};
};
"baserow-media.zxcvbnm.ninja" = {
enableACME = true;
forceSSL = true;
root = "/var/lib/baserow/media";
locations."/user_files" = {
root = "/var/lib/baserow/media";
@ -191,6 +187,12 @@ in
};
};
};
my.vault.acmeCertificates = {
"baserow.lukegb.com" = {
extraNames = [ "api.baserow.lukegb.com" "baserow-media.zxcvbnm.ninja" ];
nginxVirtualHosts = [ "baserow.lukegb.com" "api.baserow.lukegb.com" "baserow-media.zxcvbnm.ninja" ];
};
};
services.postfix = {
enable = true;

View file

@ -27,14 +27,13 @@ in
ssl = true;
}) config.my.fup.listen);
in {
security.acme.certs."p.lukegb.com" = {
group = config.services.nginx.group;
my.vault.acmeCertificates."p.lukegb.com" = {
nginxVirtualHosts = [ "p.lukegb.com" ];
};
services.nginx = {
enable = lib.mkDefault true;
virtualHosts."p.lukegb.com" = {
listen = nginxListen;
useACMEHost = "p.lukegb.com";
forceSSL = true;
locations."/" = {
proxyPass = "http://unix:${sock}";

View file

@ -25,21 +25,19 @@ in
ssl = true;
}) config.my.quotesdb.listen);
in {
security.acme.certs."bfob.gg" = {
group = config.services.nginx.group;
extraDomainNames = ["*.bfob.gg"];
my.vault.acmeCertificates."bfob.gg" = {
extraNames = [ "*.bfob.gg" ];
nginxVirtualHosts = [ "qdb.bfob.gg" "quotes.bfob.gg" "dev-quotes.bfob.gg" ];
};
services.nginx = {
enable = lib.mkDefault true;
virtualHosts."qdb.bfob.gg" = {
listen = nginxListen;
useACMEHost = "bfob.gg";
globalRedirect = "quotes.bfob.gg";
forceSSL = true;
};
virtualHosts."quotes.bfob.gg" = {
listen = nginxListen;
useACMEHost = "bfob.gg";
forceSSL = true;
locations."/static" = {
root = "${pkg}/share";
@ -50,7 +48,6 @@ in
};
virtualHosts."dev-quotes.bfob.gg" = {
listen = nginxListen;
useACMEHost = "bfob.gg";
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8000";

View file

@ -4,7 +4,9 @@
{ pkgs, config, depot, lib, ... }:
let
inherit (lib) mkOption types mkBefore optionalAttrs;
inherit (lib) mkOption types mkBefore optionalAttrs mkDefault;
acmeCertificates = lib.mapAttrsToList (name: cOrig: cOrig // { inherit name; }) config.my.vault.acmeCertificates;
# Work out where we're being asked to write things, and which groups, so we can correctly get permissions.
fullchainPath = c: pathFor c.fullchain c "fullchain.pem";
@ -12,7 +14,17 @@ let
keyPath = c: pathFor c.key c "privkey.pem";
pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path;
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates));
isNginx = c: builtins.length c.nginxVirtualHosts > 0;
defaultGroup = c: if isNull c.group then if isNginx c then "nginx" else "acme" else c.group;
groupOrDefault = p: c: if isNull p then defaultGroup c else p;
reloadOrRestartUnits = c: (lib.optional (isNginx c) "nginx.service") ++ c.reloadOrRestartUnits;
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [
(groupOrDefault c.fullchain.group c)
(groupOrDefault c.chain.group c)
(groupOrDefault c.key.group c)
]) acmeCertificates));
acmeCertificatesTemplate = builtins.concatMap (c: let
secretStanza = ''
@ -27,14 +39,16 @@ let
'';
destination = fullchainPath c;
perms = c.fullchain.mode;
command = pkgs.writeShellScript "post-${c.name}-crt" ''
command = let
grp = groupOrDefault c.fullchain.group c;
in pkgs.writeShellScript "post-${c.name}-crt" ''
sleep 1s # Cheap hack...
${lib.optionalString (c.fullchain.group != "") ''
chgrp "${c.fullchain.group}" "${fullchainPath c}"
${lib.optionalString (grp != "") ''
chgrp "${grp}" "${fullchainPath c}"
''}
${lib.concatMapStringsSep "\n" (x: ''
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
'') c.reloadOrRestartUnits}
'') (reloadOrRestartUnits c)}
${lib.concatMapStringsSep "\n" (x: ''
/run/current-system/sw/bin/systemctl restart ${x}
'') c.restartUnits}
@ -48,9 +62,11 @@ let
'';
destination = chainPath c;
perms = c.chain.mode;
command = pkgs.writeShellScript "post-${c.name}-chain" ''
${lib.optionalString (c.chain.group != "") ''
chgrp "${c.chain.group}" "${chainPath c}"
command = let
grp = groupOrDefault c.chain.group c;
in pkgs.writeShellScript "post-${c.name}-chain" ''
${lib.optionalString (grp != "") ''
chgrp "${grp}" "${chainPath c}"
''}
'';
} {
@ -61,13 +77,15 @@ let
'';
destination = keyPath c;
perms = c.key.mode;
command = pkgs.writeShellScript "post-${c.name}-key" ''
${lib.optionalString (c.key.group != "") ''
chgrp "${c.key.group}" "${keyPath c}"
command = let
grp = groupOrDefault c.key.group c;
in pkgs.writeShellScript "post-${c.name}-key" ''
${lib.optionalString (grp != "") ''
chgrp "${grp}" "${keyPath c}"
''}
'';
}
]) config.my.vault.acmeCertificates;
]) acmeCertificates;
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
let
@ -75,21 +93,25 @@ let
chainDir = dirOf (chainPath c);
keyDir = dirOf (keyPath c);
dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null;
fullchainGroup = groupOrDefault c.fullchain.group c;
chainGroup = groupOrDefault c.chain.group c;
keyGroup = groupOrDefault c.key.group c;
fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup;
chainDirGroup = if isNull dirGroup then c.chain.group else dirGroup;
keyDirGroup = if isNull dirGroup then c.key.group else dirGroup;
dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if fullchainGroup == keyGroup && fullchainGroup == chainGroup then fullchainGroup else "-" else null;
fullchainDirGroup = if isNull dirGroup then fullchainGroup else dirGroup;
chainDirGroup = if isNull dirGroup then chainGroup else dirGroup;
keyDirGroup = if isNull dirGroup then keyGroup else dirGroup;
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
) config.my.vault.acmeCertificates);
) acmeCertificates);
allRestartableUnits = lib.unique (builtins.concatMap (c: c.reloadOrRestartUnits ++ c.restartUnits) config.my.vault.acmeCertificates);
allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates);
in
{
options.my.vault.acmeCertificates = mkOption {
type = with types; listOf (submodule {
type = with types; attrsOf (submodule {
options = let
fileType = what: defaultMode: submodule {
options = {
@ -105,9 +127,9 @@ in
};
group = mkOption {
type = str;
default = "acme";
description = "Owner group to set for the ${what}.";
type = nullOr str;
default = null;
description = "Owner group to set for the ${what}. If null, taken from parent.";
};
makeDir = mkOption {
@ -123,10 +145,6 @@ in
default = "letsencrypt-cloudflare";
description = "Which role to use for certificate issuance.";
};
name = mkOption {
type = str;
description = "First hostname for the certificate.";
};
extraNames = mkOption {
type = listOf str;
default = [];
@ -149,6 +167,18 @@ in
description = "List of systemd units to restart after obtaining a new certificate.";
};
nginxVirtualHosts = mkOption {
type = listOf str;
default = [];
description = "List of nginx virtual hosts to apply SSL to.";
};
group = mkOption {
type = nullOr str;
default = null;
description = "Owner group to set for the generated files. Defaults to 'acme' unless nginxVirtualHosts is set, in which case it defaults to 'nginx'.";
};
fullchain = mkOption {
type = fileType "certificate's full chain" "0644";
default = {};
@ -163,7 +193,7 @@ in
};
};
});
default = [];
default = {};
};
config = {
@ -181,6 +211,18 @@ in
tmpfiles.rules = acmeCertificatesTmpdirs;
};
services.nginx = optionalAttrs config.my.vault.enable {
virtualHosts = builtins.listToAttrs (builtins.concatMap (certData: let
fullchain = fullchainPath certData;
chain = chainPath certData;
key = keyPath certData;
in map (hostName: lib.nameValuePair hostName {
sslCertificate = mkDefault (fullchainPath certData);
sslCertificateKey = mkDefault (keyPath certData);
sslTrustedCertificate = mkDefault (chainPath certData);
}) certData.nginxVirtualHosts) acmeCertificates);
};
security.polkit.extraConfig = lib.mkAfter ''
// NixOS module: depot/lib/vault-agent-acme.nix
polkit.addRule(function(action, subject) {

View file

@ -186,7 +186,6 @@ in {
};
in {
root = "/srv/pancake/public_html";
useACMEHost = "invoices.lukegb.com";
forceSSL = true;
locations."/" = {
tryFiles = "$uri $uri/ @router";
@ -201,7 +200,6 @@ in {
};
"plex-totoro.lukegb.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:32400/";
@ -241,18 +239,6 @@ in {
}];
};
security.acme = {
certs."invoices.lukegb.com" = {
domain = "invoices.lukegb.com";
postRun = ''
systemctl reload nginx
'';
};
certs."trains.lukegb.com" = {
domain = "trains.lukegb.com";
};
};
services.prometheus = {
enable = true;
stateDir = "export/monitoring/prometheus";
@ -557,17 +543,10 @@ in {
};
};
my.vault.acmeCertificates = [
{
name = "lukegb.com";
role = "lukegb.com-staging";
extraNames = [ "*.lukegb.com" "*.int.lukegb.com" ];
restartUnits = [ "nginx.service" ];
#certificate.path = "/tmp/lukegb.com.crt";
#key.path = "/tmp/lukegb.com.key";
key.group = "acme";
}
];
my.vault.acmeCertificates = {
"plex-totoro.lukegb.com" = { nginxVirtualHosts = [ "plex-totoro.lukegb.com" ]; };
"invoices.lukegb.com" = { nginxVirtualHosts = [ "invoices.lukegb.com" ]; };
};
system.stateVersion = "20.03";
}

View file

@ -133,20 +133,14 @@ in {
};
};
security.acme.certs."ha.lukegb.com" = {
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
domain = "ha.lukegb.com";
postRun = ''
systemctl reload nginx
'';
};
services.nginx.virtualHosts."ha.lukegb.com" = {
forceSSL = true;
useACMEHost = "ha.lukegb.com";
locations."/" = {
proxyPass = "http://localhost:8123/";
proxyWebsockets = true;
};
};
my.vault.acmeCertificates."ha.lukegb.com" = {
nginxVirtualHosts = [ "ha.lukegb.com" ];
};
}