X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=c564d34f17832d784875ef60ea0950b9e23a4198;hb=3c50eea8d946bf8417f49fa8a4a6e109e0439c7b;hp=f057200263416c9aeaa33d20c80b20c4f19e4098;hpb=981fa80354fd6f00f49446777c38f77bd8a65f65;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index f057200..c564d34 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix @@ -4,7 +4,7 @@ enable = lib.mkEnableOption "enable certificates"; certConfig = lib.mkOption { default = { - webroot = "/var/lib/acme/acme-challenge"; + webroot = "/var/lib/acme/acme-challenges"; email = "ismael@bouya.org"; postRun = builtins.concatStringsSep "\n" [ (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") @@ -12,7 +12,6 @@ (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") ]; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"]; }; description = "Default configuration for certificates"; }; @@ -20,38 +19,95 @@ config = lib.mkIf config.myServices.certificates.enable { services.duplyBackup.profiles.system.excludeFile = '' - + /var/lib/acme/acme-challenge + + /var/lib/acme/acme-challenges ''; services.nginx = { recommendedTlsSettings = true; - virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; }; + virtualHosts = { + "${config.hostEnv.fqdn}" = { + acmeRoot = config.security.acme.certs."${name}".webroot; + useACMEHost = name; + forceSSL = true; + }; + }; }; services.websites.certs = config.myServices.certificates.certConfig; myServices.databasesCerts = config.myServices.certificates.certConfig; myServices.ircCerts = config.myServices.certificates.certConfig; - security.acme2.preliminarySelfsigned = true; + security.acme.acceptTerms = true; + security.acme.preliminarySelfsigned = true; - security.acme2.certs = { + security.acme.certs = { "${name}" = config.myServices.certificates.certConfig // { domain = config.hostEnv.fqdn; }; }; systemd.services = lib.attrsets.mapAttrs' (k: v: - lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = - (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' - cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem - chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem - chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem - '') + - (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' - cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem - chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem - chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem - '') - ; }) - ) config.security.acme2.certs // { + lib.attrsets.nameValuePair "acme-selfsigned-${k}" { + wantedBy = [ "acme-selfsigned-certificates.target" ]; + script = lib.mkAfter '' + cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem + chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem + chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem + + cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem + chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem + chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem + ''; + } + ) config.security.acme.certs // + lib.attrsets.mapAttrs' (k: data: + lib.attrsets.nameValuePair "acme-${k}" { + after = lib.mkAfter [ "bind.service" ]; + serviceConfig.ExecStartPre = + let + script = pkgs.writeScript "acme-pre-start" '' + #!${pkgs.runtimeShell} -e + mkdir -p '${data.webroot}/.well-known/acme-challenge' + chmod a+w '${data.webroot}/.well-known/acme-challenge' + #doesn't work for multiple concurrent runs + #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' + ''; + in + "+${script}"; + # This is a workaround to + # https://github.com/NixOS/nixpkgs/issues/84409 + # https://github.com/NixOS/nixpkgs/issues/84633 + serviceConfig.RemainAfterExit = lib.mkForce false; + serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego"; + serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}"; + serviceConfig.ExecStartPost = + let + keyName = builtins.replaceStrings ["*"] ["_"] data.domain; + fileMode = if data.allowKeysForGroup then "640" else "600"; + spath = "/var/lib/acme/${k}/.lego"; + script = pkgs.writeScript "acme-post-start" '' + #!${pkgs.runtimeShell} -e + cd /var/lib/acme/${k} + + # Test that existing cert is older than new cert + KEY=${spath}/certificates/${keyName}.key + if [ -e $KEY -a $KEY -nt key.pem ]; then + cp -p ${spath}/certificates/${keyName}.key key.pem + cp -p ${spath}/certificates/${keyName}.crt fullchain.pem + cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem + ln -sf fullchain.pem cert.pem + cat key.pem fullchain.pem > full.pem + + ${data.postRun} + fi + + chmod ${fileMode} *.pem + chown '${data.user}:${data.group}' *.pem + ''; + in + lib.mkForce "+${script}"; + + } + ) config.security.acme.certs // + { httpdProd = lib.mkIf config.services.httpd.Prod.enable { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; httpdTools = lib.mkIf config.services.httpd.Tools.enable