# SPDX-FileCopyrightText: 2020 Luke Granger-Brown # # SPDX-License-Identifier: Apache-2.0 { pkgs, config, depot, lib, ... }: let inherit (lib) mkOption types mkBefore optionalAttrs; # Work out where we're being asked to write things, and which groups, so we can correctly get permissions. fullchainPath = c: pathFor c.fullchain c "fullchain.pem"; chainPath = c: pathFor c.chain c "chain.pem"; keyPath = c: pathFor c.key c "privkey.pem"; pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path; acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates)); acmeCertificatesTemplate = builtins.concatMap (c: let secretStanza = '' secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}" ''; in [ { # Certificate full chain contents = '' {{with ${secretStanza}}} {{ .Data.cert }}{{ end }} ''; destination = fullchainPath c; perms = c.fullchain.mode; command = pkgs.writeShellScript "post-${c.name}-crt" '' sleep 1s # Cheap hack... ${lib.optionalString (c.fullchain.group != "") '' chgrp "${c.fullchain.group}" "${fullchainPath c}" ''} ${lib.concatMapStringsSep "\n" (x: '' /run/current-system/sw/bin/systemctl reload-or-restart ${x} '') c.reloadOrRestartUnits} ${lib.concatMapStringsSep "\n" (x: '' /run/current-system/sw/bin/systemctl restart ${x} '') c.restartUnits} ${lib.optionalString (c.command != "") c.command} ''; } { # Certificate chain contents = '' {{with ${secretStanza}}} {{ .Data.issuer_cert }}{{ end }} ''; destination = chainPath c; perms = c.chain.mode; command = pkgs.writeShellScript "post-${c.name}-chain" '' ${lib.optionalString (c.chain.group != "") '' chgrp "${c.chain.group}" "${chainPath c}" ''} ''; } { # Key contents = '' {{with ${secretStanza}}} {{ .Data.private_key }}{{ end }} ''; destination = keyPath c; perms = c.key.mode; command = pkgs.writeShellScript "post-${c.name}-key" '' ${lib.optionalString (c.key.group != "") '' chgrp "${c.key.group}" "${keyPath c}" ''} ''; } ]) config.my.vault.acmeCertificates; acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c: let fullchainDir = dirOf (fullchainPath c); chainDir = dirOf (chainPath c); keyDir = dirOf (keyPath c); dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null; fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup; chainDirGroup = if isNull dirGroup then c.chain.group else dirGroup; keyDirGroup = if isNull dirGroup then c.key.group else dirGroup; in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -" ++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -" ++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -" ) config.my.vault.acmeCertificates); allRestartableUnits = lib.unique (builtins.concatMap (c: c.reloadOrRestartUnits ++ c.restartUnits) config.my.vault.acmeCertificates); in { options.my.vault.acmeCertificates = mkOption { type = with types; listOf (submodule { options = let fileType = what: defaultMode: submodule { options = { path = mkOption { type = nullOr path; default = null; description = "Path to put the ${what}."; }; mode = mkOption { type = str; default = defaultMode; description = "Mode to set for the ${what}."; }; group = mkOption { type = str; default = "acme"; description = "Owner group to set for the ${what}."; }; makeDir = mkOption { type = bool; default = true; description = "If true, creates the parent directory."; }; }; }; in { role = mkOption { type = str; default = "letsencrypt-cloudflare"; description = "Which role to use for certificate issuance."; }; name = mkOption { type = str; description = "First hostname for the certificate."; }; extraNames = mkOption { type = listOf str; default = []; description = "Non-empty list of hostnames to include."; }; command = mkOption { type = lines; default = ""; description = "Command to run after generating the certificate."; }; reloadOrRestartUnits = mkOption { type = listOf str; default = []; description = "List of systemd units to reload/restart after obtaining a new certificate."; }; restartUnits = mkOption { type = listOf str; default = []; description = "List of systemd units to restart after obtaining a new certificate."; }; fullchain = mkOption { type = fileType "certificate's full chain" "0644"; default = {}; }; chain = mkOption { type = fileType "certificate chain only" "0644"; default = {}; }; key = mkOption { type = fileType "certificate's key" "0640"; default = {}; }; }; }); default = []; }; config = { my.vault.settings = { template = mkBefore acmeCertificatesTemplate; }; systemd = optionalAttrs config.my.vault.enable { services.vault-agent = { serviceConfig = { SupplementaryGroups = mkBefore acmeCertificatesGroups; }; }; tmpfiles.rules = acmeCertificatesTmpdirs; }; security.polkit.extraConfig = lib.mkAfter '' // NixOS module: depot/lib/vault-agent-acme.nix polkit.addRule(function(action, subject) { if (action.id !== "org.freedesktop.systemd1.manage-units" || subject.user !== "vault-agent") { return polkit.Result.NOT_HANDLED; } var verb = action.lookup("verb"); if (verb !== "restart" && verb !== "reload-or-restart") { return polkit.Result.NOT_HANDLED; } var allowedUnits = ${builtins.toJSON allRestartableUnits}; var unit = action.lookup("unit"); for (var i = 0; i < allowedUnits.length; i++) { if (allowedUnits[i] === unit) { return polkit.Result.YES; } } return polkit.Result.NOT_HANDLED; }); ''; }; }