[perso/Immae/Config/Nix.git] / modules / private / certificates.nix

{ lib, pkgs, config, name, ... }:
{
  options.myServices.certificates = {
    enable = lib.mkEnableOption "enable certificates";
    certConfig = lib.mkOption {
      default = {
        webroot = "/var/lib/acme/acme-challenges";
        email = "ismael@bouya.org";
        postRun = builtins.concatStringsSep "\n" [
          (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
          (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
        ];
        extraLegoRenewFlags = [ "--reuse-key" ];
      };
      description = "Default configuration for certificates";
    };
  };

  config = lib.mkIf config.myServices.certificates.enable {
    services.duplyBackup.profiles.system.excludeFile = ''
      + /var/lib/acme/acme-challenges
      '';
    services.nginx = {
      recommendedTlsSettings = true;
      virtualHosts = {
        "${config.hostEnv.fqdn}" = {
          acmeRoot = config.security.acme.certs."${name}".webroot;
          useACMEHost = name;
          forceSSL = true;
        };
      };
    };
    services.websites.certs = config.myServices.certificates.certConfig;
    myServices.databasesCerts = config.myServices.certificates.certConfig;
    myServices.ircCerts = config.myServices.certificates.certConfig;

    security.acme.acceptTerms = true;
    security.acme.preliminarySelfsigned = true;

    security.acme.certs = {
      "${name}" = config.myServices.certificates.certConfig // {
        domain = config.hostEnv.fqdn;
      };
    };

    systemd.services = lib.attrsets.mapAttrs' (k: v:
      lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
          wantedBy = [ "acme-selfsigned-certificates.target" ];
          script = lib.mkAfter ''
          cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem

          cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
          '';
        }
      ) config.security.acme.certs //
    lib.attrsets.mapAttrs' (k: data:
      lib.attrsets.nameValuePair "acme-${k}" {
        after = lib.mkAfter [ "bind.service" ];
        serviceConfig.ExecStartPre =
          let
            script = pkgs.writeScript "acme-pre-start" ''
              #!${pkgs.runtimeShell} -e
              mkdir -p '${data.webroot}/.well-known/acme-challenge'
              chmod a+w '${data.webroot}/.well-known/acme-challenge'
              #doesn't work for multiple concurrent runs
              #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
            '';
          in
          "+${script}";
        # This is a workaround to
        # https://github.com/NixOS/nixpkgs/issues/84409
        # https://github.com/NixOS/nixpkgs/issues/84633
        serviceConfig.RemainAfterExit = lib.mkForce false;
        serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
        serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k} acme/.lego/${k} acme/.lego/accounts";
        serviceConfig.ExecStartPost =
          let
            keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
            fileMode = if data.allowKeysForGroup then "640" else "600";
            spath = "/var/lib/acme/${k}/.lego";
            script = pkgs.writeScript "acme-post-start" ''
              #!${pkgs.runtimeShell} -e
              cd /var/lib/acme/${k}

              # Test that existing cert is older than new cert
              KEY=${spath}/certificates/${keyName}.key
              if [ -e $KEY -a $KEY -nt key.pem ]; then
                cp -p ${spath}/certificates/${keyName}.key key.pem
                cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
                cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
                ln -sf fullchain.pem cert.pem
                cat key.pem fullchain.pem > full.pem

                ${data.postRun}
              fi

              chmod ${fileMode} *.pem
              chown '${data.user}:${data.group}' *.pem
            '';
          in
            lib.mkForce "+${script}";

      }
    ) config.security.acme.certs //
    {
      httpdProd = lib.mkIf config.services.httpd.Prod.enable
        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
      httpdTools = lib.mkIf config.services.httpd.Tools.enable
        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
      httpdInte = lib.mkIf config.services.httpd.Inte.enable
        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
    };
  };
}
Commit	Line	Data
6e9f30f4	1	{ lib, pkgs, config, name, ... }:
3013caf1	2	{
8415083e IB	3	options.myServices.certificates = {
8415083e IB	4	enable = lib.mkEnableOption "enable certificates";
3013caf1 IB	5	certConfig = lib.mkOption {
3013caf1 IB	6	default = {
3ffa15ba	7	webroot = "/var/lib/acme/acme-challenges";
3013caf1	8	email = "ismael@bouya.org";
6e9f30f4 IB	9	postRun = builtins.concatStringsSep "\n" [
	10	(lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
	11	(lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
	12	(lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
	13	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
	14	];
f5761aac	15	extraLegoRenewFlags = [ "--reuse-key" ];
3013caf1 IB	16	};
	17	description = "Default configuration for certificates";
	18	};
	19	};
	20
8415083e	21	config = lib.mkIf config.myServices.certificates.enable {
d2e703c5	22	services.duplyBackup.profiles.system.excludeFile = ''
3ffa15ba	23	+ /var/lib/acme/acme-challenges
6a8252b1	24	'';
6e9f30f4 IB	25	services.nginx = {
6e9f30f4 IB	26	recommendedTlsSettings = true;
3ffa15ba IB	27	virtualHosts = {
	28	"${config.hostEnv.fqdn}" = {
	29	acmeRoot = config.security.acme.certs."${name}".webroot;
	30	useACMEHost = name;
	31	forceSSL = true;
	32	};
	33	};
6e9f30f4	34	};
8415083e IB	35	services.websites.certs = config.myServices.certificates.certConfig;
	36	myServices.databasesCerts = config.myServices.certificates.certConfig;
	37	myServices.ircCerts = config.myServices.certificates.certConfig;
7df420c2	38
258dd18b	39	security.acme.acceptTerms = true;
5400b9b6	40	security.acme.preliminarySelfsigned = true;
3013caf1	41
5400b9b6	42	security.acme.certs = {
6e9f30f4	43	"${name}" = config.myServices.certificates.certConfig // {
619e4f46	44	domain = config.hostEnv.fqdn;
3013caf1 IB	45	};
3013caf1 IB	46	};
017cb76f IB	47
017cb76f IB	48	systemd.services = lib.attrsets.mapAttrs' (k: v:
2fe37e49 IB	49	lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
	50	wantedBy = [ "acme-selfsigned-certificates.target" ];
	51	script = lib.mkAfter ''
	52	cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
	53	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
	54	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
258dd18b	55
2fe37e49 IB	56	cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
	57	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
	58	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
	59	'';
	60	}
	61	) config.security.acme.certs //
5400b9b6 IB	62	lib.attrsets.mapAttrs' (k: data:
5400b9b6 IB	63	lib.attrsets.nameValuePair "acme-${k}" {
37465bc7	64	after = lib.mkAfter [ "bind.service" ];
5400b9b6 IB	65	serviceConfig.ExecStartPre =
	66	let
	67	script = pkgs.writeScript "acme-pre-start" ''
	68	#!${pkgs.runtimeShell} -e
	69	mkdir -p '${data.webroot}/.well-known/acme-challenge'
	70	chmod a+w '${data.webroot}/.well-known/acme-challenge'
	71	#doesn't work for multiple concurrent runs
	72	#chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
	73	'';
	74	in
364b709f IB	75	"+${script}";
	76	# This is a workaround to
	77	# https://github.com/NixOS/nixpkgs/issues/84409
	78	# https://github.com/NixOS/nixpkgs/issues/84633
	79	serviceConfig.RemainAfterExit = lib.mkForce false;
	80	serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
f5761aac	81	serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k} acme/.lego/${k} acme/.lego/accounts";
364b709f IB	82	serviceConfig.ExecStartPost =
	83	let
	84	keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
	85	fileMode = if data.allowKeysForGroup then "640" else "600";
	86	spath = "/var/lib/acme/${k}/.lego";
	87	script = pkgs.writeScript "acme-post-start" ''
	88	#!${pkgs.runtimeShell} -e
	89	cd /var/lib/acme/${k}
	90
	91	# Test that existing cert is older than new cert
	92	KEY=${spath}/certificates/${keyName}.key
	93	if [ -e $KEY -a $KEY -nt key.pem ]; then
	94	cp -p ${spath}/certificates/${keyName}.key key.pem
	95	cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
	96	cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
	97	ln -sf fullchain.pem cert.pem
	98	cat key.pem fullchain.pem > full.pem
	99
	100	${data.postRun}
	101	fi
	102
	103	chmod ${fileMode} *.pem
	104	chown '${data.user}:${data.group}' *.pem
	105	'';
	106	in
	107	lib.mkForce "+${script}";
	108
5400b9b6 IB	109	}
	110	) config.security.acme.certs //
	111	{
6e9f30f4 IB	112	httpdProd = lib.mkIf config.services.httpd.Prod.enable
	113	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
	114	httpdTools = lib.mkIf config.services.httpd.Tools.enable
	115	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
	116	httpdInte = lib.mkIf config.services.httpd.Inte.enable
	117	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
017cb76f	118	};
3013caf1 IB	119	};
3013caf1 IB	120	}