[perso/Immae/Config/Nix.git] / modules / private / certificates.nix

{ lib, pkgs, config, name, ... }:
{
  options.myServices.certificates = {
    enable = lib.mkEnableOption "enable certificates";
    webroot = lib.mkOption {
      readOnly = true;
      default = "/var/lib/acme/acme-challenges";
    };
    certConfig = lib.mkOption {
      default = {
        webroot = lib.mkForce null; # avoids creation of tmpfiles
        email = "ismael@bouya.org";
        postRun = builtins.concatStringsSep "\n" [
          (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
          (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
        ];
        extraLegoRenewFlags = [ "--reuse-key" ];
        keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
      };
      description = "Default configuration for certificates";
    };
  };

  config = lib.mkIf config.myServices.certificates.enable {
    services.nginx = {
      recommendedTlsSettings = true;
      virtualHosts = {
        "${config.hostEnv.fqdn}" = {
          acmeRoot = config.myServices.certificates.webroot;
          useACMEHost = name;
          forceSSL = true;
        };
      };
    };
    services.websites.certs = config.myServices.certificates.certConfig;
    myServices.databasesCerts = config.myServices.certificates.certConfig;
    myServices.ircCerts = config.myServices.certificates.certConfig;

    security.acme.acceptTerms = true;
    security.acme.preliminarySelfsigned = true;

    security.acme.certs = {
      "${name}" = config.myServices.certificates.certConfig // {
        domain = config.hostEnv.fqdn;
      };
    };

    users.users.acme = {
      uid = config.ids.uids.acme;
      group = "acme";
      description = "Acme user";
    };
    users.groups.acme = {
      gid = config.ids.gids.acme;
    };

    systemd.services = lib.attrsets.mapAttrs' (k: v:
      lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
          wantedBy = [ "acme-selfsigned-certificates.target" ];
          script = lib.mkAfter ''
          cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem

          cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
          '';
        }
      ) config.security.acme.certs //
    lib.attrsets.mapAttrs' (k: data:
      lib.attrsets.nameValuePair "acme-${k}" {
        after = lib.mkAfter [ "bind.service" ];
        serviceConfig =
          let
            cfg = config.security.acme;
            hashOptions = let
              domains = builtins.concatStringsSep "," (
                [ data.domain ] ++ (builtins.attrNames data.extraDomains)
              );
              certOptions = builtins.concatStringsSep "," [
                (if data.ocspMustStaple then "must-staple" else "no-must-staple")
              ];
            in
              builtins.hashString "sha256" (builtins.concatStringsSep ";" [ data.keyType domains certOptions ]);
            accountsDir = "accounts-${data.keyType}";
            lpath = "acme/${k}";
            apath = "/var/lib/${lpath}";
            spath = "/var/lib/acme/.lego/${k}";
            fileMode = if data.allowKeysForGroup then "640" else "600";
            dirFileMode = if data.allowKeysForGroup then "750" else "700";
            globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
              ++ lib.optionals (cfg.acceptTerms) [ "--accept-tos" ]
              ++ lib.optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
              ++ lib.concatLists (lib.mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
              ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" config.myServices.certificates.webroot ])
              ++ lib.optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
            certOpts = lib.optionals data.ocspMustStaple [ "--must-staple" ];
            runOpts = lib.escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts);
            renewOpts = lib.escapeShellArgs (globalOpts ++
              [ "renew" "--days" (builtins.toString cfg.validMinDays) ] ++
              certOpts ++ data.extraLegoRenewFlags);
            forceRenewOpts = lib.escapeShellArgs (globalOpts ++
              [ "renew" "--days" "999" ] ++
              certOpts ++ data.extraLegoRenewFlags);
            keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
          in {
            User = lib.mkForce "acme";
            Group = lib.mkForce "acme";
            WorkingDirectory = lib.mkForce spath;
            StateDirectory = lib.mkForce "acme/.lego/${k} acme/.lego/${accountsDir}";
            ExecStartPre =
              let
                script = pkgs.writeScript "acme-prestart" ''
                  #!${pkgs.runtimeShell} -e
                  install -m 0755 -o acme -g acme -d ${config.myServices.certificates.webroot}
                '';
              in
                lib.mkForce "+${script}";
            ExecStart = lib.mkForce (pkgs.writeScript "acme-start" ''
              #!${pkgs.runtimeShell} -e
              # lego doesn't check key type after initial creation, we
              # need to check for him
              if [ -L ${spath}/accounts -o -d ${spath}/accounts ]; then
                if [ -L ${spath}/accounts -a "$(readlink ${spath}/accounts)" != ../${accountsDir} ]; then
                  ln -sfn ../${accountsDir} ${spath}/accounts
                  mv -f ${spath}/certificates/${keyName}.key ${spath}/certificates/${keyName}.key.old
                fi
              else
                ln -s ../${accountsDir} ${spath}/accounts
              fi
              # check if domain changed: lego doesn't check by itself
              if [ ! -e ${spath}/certificates/${keyName}.crt -o ! -e ${spath}/certificates/${keyName}.key -o ! -e "${spath}/accounts/acme-v02.api.letsencrypt.org/${data.email}/account.json" ]; then
                ${pkgs.lego}/bin/lego ${runOpts}
              elif [ ! -f ${spath}/currentDomains -o "$(cat ${spath}/currentDomains)" != "${hashOptions}" ]; then
                ${pkgs.lego}/bin/lego ${forceRenewOpts}
              else
                ${pkgs.lego}/bin/lego ${renewOpts}
              fi
            '');
            ExecStartPost =
              let
                ISRG_Root_X1 = pkgs.fetchurl {
                  url = "https://letsencrypt.org/certs/isrgrootx1.pem";
                  sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
                };
                fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" ''
                  for file in chain fullchain full; do
                    if grep -q MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA "$file.pem"; then
                      cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \
                      sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" $file.pem
                    fi
                  done
                '';
                script = pkgs.writeScript "acme-post-start" ''
                  #!${pkgs.runtimeShell} -e
                  install -m 0755 -o root -g root -d /var/lib/acme
                  install -m 0${dirFileMode} -o ${data.user} -g ${data.group} -d /var/lib/acme/${k}
                  cd /var/lib/acme/${k}

                  # Test that existing cert is older than new cert
                  KEY=${spath}/certificates/${keyName}.key
                  KEY_CHANGED=no
                  if [ -e $KEY -a $KEY -nt key.pem ]; then
                    KEY_CHANGED=yes
                    cp -p ${spath}/certificates/${keyName}.key key.pem
                    cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
                    cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
                    ln -sf fullchain.pem cert.pem
                    cat key.pem fullchain.pem > full.pem
                    echo -n "${hashOptions}" > ${spath}/currentDomains
                  fi

                  ${fix_ISRG_Root_X1}
                  chmod ${fileMode} *.pem
                  chown '${data.user}:${data.group}' *.pem

                  if [ "$KEY_CHANGED" = "yes" ]; then
                    : # noop in case postRun is empty
                    ${data.postRun}
                  fi
                '';
              in
                lib.mkForce "+${script}";
          };
      }
    ) config.security.acme.certs //
    {
      httpdProd = lib.mkIf config.services.httpd.Prod.enable
        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
      httpdTools = lib.mkIf config.services.httpd.Tools.enable
        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
      httpdInte = lib.mkIf config.services.httpd.Inte.enable
        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
    };
  };
}
Commit	Line	Data
6e9f30f4	1	{ lib, pkgs, config, name, ... }:
3013caf1	2	{
8415083e IB	3	options.myServices.certificates = {
8415083e IB	4	enable = lib.mkEnableOption "enable certificates";
cfda3cfc IB	5	webroot = lib.mkOption {
	6	readOnly = true;
	7	default = "/var/lib/acme/acme-challenges";
	8	};
3013caf1 IB	9	certConfig = lib.mkOption {
3013caf1 IB	10	default = {
cfda3cfc	11	webroot = lib.mkForce null; # avoids creation of tmpfiles
3013caf1	12	email = "ismael@bouya.org";
6e9f30f4 IB	13	postRun = builtins.concatStringsSep "\n" [
	14	(lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
	15	(lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
	16	(lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
	17	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
	18	];
f5761aac	19	extraLegoRenewFlags = [ "--reuse-key" ];
cfda3cfc	20	keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
3013caf1 IB	21	};
	22	description = "Default configuration for certificates";
	23	};
	24	};
	25
8415083e	26	config = lib.mkIf config.myServices.certificates.enable {
6e9f30f4 IB	27	services.nginx = {
6e9f30f4 IB	28	recommendedTlsSettings = true;
3ffa15ba IB	29	virtualHosts = {
3ffa15ba IB	30	"${config.hostEnv.fqdn}" = {
cfda3cfc	31	acmeRoot = config.myServices.certificates.webroot;
3ffa15ba IB	32	useACMEHost = name;
	33	forceSSL = true;
	34	};
	35	};
6e9f30f4	36	};
8415083e IB	37	services.websites.certs = config.myServices.certificates.certConfig;
	38	myServices.databasesCerts = config.myServices.certificates.certConfig;
	39	myServices.ircCerts = config.myServices.certificates.certConfig;
7df420c2	40
258dd18b	41	security.acme.acceptTerms = true;
5400b9b6	42	security.acme.preliminarySelfsigned = true;
3013caf1	43
5400b9b6	44	security.acme.certs = {
6e9f30f4	45	"${name}" = config.myServices.certificates.certConfig // {
619e4f46	46	domain = config.hostEnv.fqdn;
3013caf1 IB	47	};
3013caf1 IB	48	};
017cb76f	49
cfda3cfc IB	50	users.users.acme = {
	51	uid = config.ids.uids.acme;
	52	group = "acme";
	53	description = "Acme user";
	54	};
	55	users.groups.acme = {
	56	gid = config.ids.gids.acme;
	57	};
	58
017cb76f	59	systemd.services = lib.attrsets.mapAttrs' (k: v:
2fe37e49 IB	60	lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
	61	wantedBy = [ "acme-selfsigned-certificates.target" ];
	62	script = lib.mkAfter ''
	63	cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
	64	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
	65	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
258dd18b	66
2fe37e49 IB	67	cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
	68	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
	69	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
	70	'';
	71	}
	72	) config.security.acme.certs //
5400b9b6 IB	73	lib.attrsets.mapAttrs' (k: data:
5400b9b6 IB	74	lib.attrsets.nameValuePair "acme-${k}" {
37465bc7	75	after = lib.mkAfter [ "bind.service" ];
cfda3cfc	76	serviceConfig =
364b709f	77	let
cfda3cfc IB	78	cfg = config.security.acme;
	79	hashOptions = let
	80	domains = builtins.concatStringsSep "," (
	81	[ data.domain ] ++ (builtins.attrNames data.extraDomains)
	82	);
	83	certOptions = builtins.concatStringsSep "," [
	84	(if data.ocspMustStaple then "must-staple" else "no-must-staple")
	85	];
	86	in
	87	builtins.hashString "sha256" (builtins.concatStringsSep ";" [ data.keyType domains certOptions ]);
	88	accountsDir = "accounts-${data.keyType}";
	89	lpath = "acme/${k}";
	90	apath = "/var/lib/${lpath}";
	91	spath = "/var/lib/acme/.lego/${k}";
364b709f	92	fileMode = if data.allowKeysForGroup then "640" else "600";
cfda3cfc IB	93	dirFileMode = if data.allowKeysForGroup then "750" else "700";
	94	globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
	95	++ lib.optionals (cfg.acceptTerms) [ "--accept-tos" ]
	96	++ lib.optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
	97	++ lib.concatLists (lib.mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
	98	++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" config.myServices.certificates.webroot ])
	99	++ lib.optionals (cfg.server != null \|\| data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
	100	certOpts = lib.optionals data.ocspMustStaple [ "--must-staple" ];
	101	runOpts = lib.escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts);
	102	renewOpts = lib.escapeShellArgs (globalOpts ++
	103	[ "renew" "--days" (builtins.toString cfg.validMinDays) ] ++
	104	certOpts ++ data.extraLegoRenewFlags);
	105	forceRenewOpts = lib.escapeShellArgs (globalOpts ++
	106	[ "renew" "--days" "999" ] ++
	107	certOpts ++ data.extraLegoRenewFlags);
	108	keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
	109	in {
	110	User = lib.mkForce "acme";
	111	Group = lib.mkForce "acme";
	112	WorkingDirectory = lib.mkForce spath;
	113	StateDirectory = lib.mkForce "acme/.lego/${k} acme/.lego/${accountsDir}";
	114	ExecStartPre =
	115	let
	116	script = pkgs.writeScript "acme-prestart" ''
	117	#!${pkgs.runtimeShell} -e
	118	install -m 0755 -o acme -g acme -d ${config.myServices.certificates.webroot}
	119	'';
	120	in
	121	lib.mkForce "+${script}";
	122	ExecStart = lib.mkForce (pkgs.writeScript "acme-start" ''
364b709f	123	#!${pkgs.runtimeShell} -e
cfda3cfc IB	124	# lego doesn't check key type after initial creation, we
	125	# need to check for him
	126	if [ -L ${spath}/accounts -o -d ${spath}/accounts ]; then
	127	if [ -L ${spath}/accounts -a "$(readlink ${spath}/accounts)" != ../${accountsDir} ]; then
	128	ln -sfn ../${accountsDir} ${spath}/accounts
	129	mv -f ${spath}/certificates/${keyName}.key ${spath}/certificates/${keyName}.key.old
	130	fi
	131	else
	132	ln -s ../${accountsDir} ${spath}/accounts
	133	fi
	134	# check if domain changed: lego doesn't check by itself
	135	if [ ! -e ${spath}/certificates/${keyName}.crt -o ! -e ${spath}/certificates/${keyName}.key -o ! -e "${spath}/accounts/acme-v02.api.letsencrypt.org/${data.email}/account.json" ]; then
	136	${pkgs.lego}/bin/lego ${runOpts}
	137	elif [ ! -f ${spath}/currentDomains -o "$(cat ${spath}/currentDomains)" != "${hashOptions}" ]; then
	138	${pkgs.lego}/bin/lego ${forceRenewOpts}
	139	else
	140	${pkgs.lego}/bin/lego ${renewOpts}
364b709f	141	fi
cfda3cfc IB	142	'');
	143	ExecStartPost =
	144	let
ad6d50d9 IB	145	ISRG_Root_X1 = pkgs.fetchurl {
	146	url = "https://letsencrypt.org/certs/isrgrootx1.pem";
	147	sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
	148	};
	149	fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" ''
4ec2d441 IB	150	for file in chain fullchain full; do
	151	if grep -q MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA "$file.pem"; then
	152	cat ${ISRG_Root_X1} \| grep -v " CERTIFICATE" \| \
	153	sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" $file.pem
	154	fi
	155	done
ad6d50d9	156	'';
cfda3cfc IB	157	script = pkgs.writeScript "acme-post-start" ''
	158	#!${pkgs.runtimeShell} -e
	159	install -m 0755 -o root -g root -d /var/lib/acme
	160	install -m 0${dirFileMode} -o ${data.user} -g ${data.group} -d /var/lib/acme/${k}
	161	cd /var/lib/acme/${k}
	162
	163	# Test that existing cert is older than new cert
	164	KEY=${spath}/certificates/${keyName}.key
	165	KEY_CHANGED=no
	166	if [ -e $KEY -a $KEY -nt key.pem ]; then
	167	KEY_CHANGED=yes
	168	cp -p ${spath}/certificates/${keyName}.key key.pem
	169	cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
	170	cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
	171	ln -sf fullchain.pem cert.pem
	172	cat key.pem fullchain.pem > full.pem
	173	echo -n "${hashOptions}" > ${spath}/currentDomains
	174	fi
364b709f	175
4ec2d441	176	${fix_ISRG_Root_X1}
cfda3cfc IB	177	chmod ${fileMode} *.pem
cfda3cfc IB	178	chown '${data.user}:${data.group}' *.pem
364b709f	179
cfda3cfc IB	180	if [ "$KEY_CHANGED" = "yes" ]; then
	181	: # noop in case postRun is empty
	182	${data.postRun}
	183	fi
	184	'';
	185	in
	186	lib.mkForce "+${script}";
	187	};
5400b9b6 IB	188	}
	189	) config.security.acme.certs //
	190	{
6e9f30f4 IB	191	httpdProd = lib.mkIf config.services.httpd.Prod.enable
	192	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
	193	httpdTools = lib.mkIf config.services.httpd.Tools.enable
	194	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
	195	httpdInte = lib.mkIf config.services.httpd.Inte.enable
	196	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
017cb76f	197	};
3013caf1 IB	198	};
3013caf1 IB	199	}