lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions
depot/ops/nixos/lib/vault-agent-acme.nix

208 lines
7.1 KiB
Nix
Raw Blame History

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ pkgs, config, depot, lib, ... }:
let
inherit (lib) mkOption types mkBefore optionalAttrs;
# Work out where we're being asked to write things, and which groups, so we can correctly get permissions.
fullchainPath = c: pathFor c.fullchain c "fullchain.pem";
chainPath = c: pathFor c.chain c "chain.pem";
keyPath = c: pathFor c.key c "privkey.pem";
pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path;
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates));
acmeCertificatesTemplate = builtins.concatMap (c: let
secretStanza = ''
secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}"
'';
in [
{
# Certificate full chain
contents = ''
{{with ${secretStanza}}}
{{ .Data.cert }}{{ end }}
'';
destination = fullchainPath c;
perms = c.fullchain.mode;
command = pkgs.writeShellScript "post-${c.name}-crt" ''
sleep 1s # Cheap hack...
${lib.optionalString (c.fullchain.group != "") ''
chgrp "${c.fullchain.group}" "${fullchainPath c}"
''}
${lib.concatMapStringsSep "\n" (x: ''
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
'') c.reloadOrRestartUnits}
${lib.concatMapStringsSep "\n" (x: ''
/run/current-system/sw/bin/systemctl restart ${x}
'') c.restartUnits}
${lib.optionalString (c.command != "") c.command}
'';
} {
# Certificate chain
contents = ''
{{with ${secretStanza}}}
{{ .Data.issuer_cert }}{{ end }}
'';
destination = chainPath c;
perms = c.chain.mode;
command = pkgs.writeShellScript "post-${c.name}-chain" ''
${lib.optionalString (c.chain.group != "") ''
chgrp "${c.chain.group}" "${chainPath c}"
''}
'';
} {
# Key
contents = ''
{{with ${secretStanza}}}
{{ .Data.private_key }}{{ end }}
'';
destination = keyPath c;
perms = c.key.mode;
command = pkgs.writeShellScript "post-${c.name}-key" ''
${lib.optionalString (c.key.group != "") ''
chgrp "${c.key.group}" "${keyPath c}"
''}
'';
}
]) config.my.vault.acmeCertificates;
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
let
fullchainDir = dirOf (fullchainPath c);
chainDir = dirOf (chainPath c);
keyDir = dirOf (keyPath c);
dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null;
fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup;
chainDirGroup = if isNull dirGroup then c.chain.group else dirGroup;
keyDirGroup = if isNull dirGroup then c.key.group else dirGroup;
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
) config.my.vault.acmeCertificates);
allRestartableUnits = lib.unique (builtins.concatMap (c: c.reloadOrRestartUnits ++ c.restartUnits) config.my.vault.acmeCertificates);
in
{
options.my.vault.acmeCertificates = mkOption {
type = with types; listOf (submodule {
options = let
fileType = what: defaultMode: submodule {
options = {
path = mkOption {
type = nullOr path;
default = null;
description = "Path to put the ${what}.";
};
mode = mkOption {
type = str;
default = defaultMode;
description = "Mode to set for the ${what}.";
};
group = mkOption {
type = str;
default = "acme";
description = "Owner group to set for the ${what}.";
};
makeDir = mkOption {
type = bool;
default = true;
description = "If true, creates the parent directory.";
};
};
};
in {
role = mkOption {
type = str;
default = "letsencrypt-cloudflare";
description = "Which role to use for certificate issuance.";
};
name = mkOption {
type = str;
description = "First hostname for the certificate.";
};
extraNames = mkOption {
type = listOf str;
default = [];
description = "Non-empty list of hostnames to include.";
};
command = mkOption {
type = lines;
default = "";
description = "Command to run after generating the certificate.";
};
reloadOrRestartUnits = mkOption {
type = listOf str;
default = [];
description = "List of systemd units to reload/restart after obtaining a new certificate.";
};
restartUnits = mkOption {
type = listOf str;
default = [];
description = "List of systemd units to restart after obtaining a new certificate.";
};
fullchain = mkOption {
type = fileType "certificate's full chain" "0644";
default = {};
};
chain = mkOption {
type = fileType "certificate chain only" "0644";
default = {};
};
key = mkOption {
type = fileType "certificate's key" "0640";
default = {};
};
};
});
default = [];
};
config = {
my.vault.settings = {
template = mkBefore acmeCertificatesTemplate;
};
systemd = optionalAttrs config.my.vault.enable {
services.vault-agent = {
serviceConfig = {
SupplementaryGroups = mkBefore acmeCertificatesGroups;
};
};
tmpfiles.rules = acmeCertificatesTmpdirs;
};
security.polkit.extraConfig = lib.mkAfter ''
// NixOS module: depot/lib/vault-agent-acme.nix
polkit.addRule(function(action, subject) {
if (action.id !== "org.freedesktop.systemd1.manage-units" ||
subject.user !== "vault-agent") {
return polkit.Result.NOT_HANDLED;
}
var verb = action.lookup("verb");
if (verb !== "restart" && verb !== "reload-or-restart") {
return polkit.Result.NOT_HANDLED;
}
var allowedUnits = ${builtins.toJSON allRestartableUnits};
var unit = action.lookup("unit");
for (var i = 0; i < allowedUnits.length; i++) {
if (allowedUnits[i] === unit) {
return polkit.Result.YES;
}
}
return polkit.Result.NOT_HANDLED;
});
'';
};
}
Reference in a new issue View git blame Copy permalink