modules/private/certificates.nix

   1 { lib, pkgs, config, name, ... }:
   2 {
   3   options.myServices.certificates = {
   4     enable = lib.mkEnableOption "enable certificates";
   5     certConfig = lib.mkOption {
   6       default = {
   7         webroot = "/var/lib/acme/acme-challenges";
   8         email = "ismael@bouya.org";
   9         postRun = builtins.concatStringsSep "\n" [
  10           (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
  11           (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
  12           (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
  13           (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
  14         ];
  15         extraLegoRenewFlags = [ "--reuse-key" ];
  16       };
  17       description = "Default configuration for certificates";
  18     };
  19   };
  20
  21   config = lib.mkIf config.myServices.certificates.enable {
  22     services.duplyBackup.profiles.system.excludeFile = ''
  23       + /var/lib/acme/acme-challenges
  24       '';
  25     services.nginx = {
  26       recommendedTlsSettings = true;
  27       virtualHosts = {
  28         "${config.hostEnv.fqdn}" = {
  29           acmeRoot = config.security.acme.certs."${name}".webroot;
  30           useACMEHost = name;
  31           forceSSL = true;
  32         };
  33       };
  34     };
  35     services.websites.certs = config.myServices.certificates.certConfig;
  36     myServices.databasesCerts = config.myServices.certificates.certConfig;
  37     myServices.ircCerts = config.myServices.certificates.certConfig;
  38
  39     security.acme.acceptTerms = true;
  40     security.acme.preliminarySelfsigned = true;
  41
  42     security.acme.certs = {
  43       "${name}" = config.myServices.certificates.certConfig // {
  44         domain = config.hostEnv.fqdn;
  45       };
  46     };
  47
  48     systemd.services = lib.attrsets.mapAttrs' (k: v:
  49       lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
  50           wantedBy = [ "acme-selfsigned-certificates.target" ];
  51           script = lib.mkAfter ''
  52           cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
  53           chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
  54           chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
  55
  56           cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
  57           chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
  58           chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
  59           '';
  60         }
  61       ) config.security.acme.certs //
  62     lib.attrsets.mapAttrs' (k: data:
  63       lib.attrsets.nameValuePair "acme-${k}" {
  64         after = lib.mkAfter [ "bind.service" ];
  65         serviceConfig.ExecStartPre =
  66           let
  67             script = pkgs.writeScript "acme-pre-start" ''
  68               #!${pkgs.runtimeShell} -e
  69               mkdir -p '${data.webroot}/.well-known/acme-challenge'
  70               chmod a+w '${data.webroot}/.well-known/acme-challenge'
  71               #doesn't work for multiple concurrent runs
  72               #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
  73             '';
  74           in
  75           "+${script}";
  76         # This is a workaround to
  77         # https://github.com/NixOS/nixpkgs/issues/84409
  78         # https://github.com/NixOS/nixpkgs/issues/84633
  79         serviceConfig.RemainAfterExit = lib.mkForce false;
  80         serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
  81         serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k} acme/.lego/${k} acme/.lego/accounts";
  82         serviceConfig.ExecStartPost =
  83           let
  84             keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
  85             fileMode = if data.allowKeysForGroup then "640" else "600";
  86             spath = "/var/lib/acme/${k}/.lego";
  87             script = pkgs.writeScript "acme-post-start" ''
  88               #!${pkgs.runtimeShell} -e
  89               cd /var/lib/acme/${k}
  90
  91               # Test that existing cert is older than new cert
  92               KEY=${spath}/certificates/${keyName}.key
  93               if [ -e $KEY -a $KEY -nt key.pem ]; then
  94                 cp -p ${spath}/certificates/${keyName}.key key.pem
  95                 cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
  96                 cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
  97                 ln -sf fullchain.pem cert.pem
  98                 cat key.pem fullchain.pem > full.pem
  99
 100                 ${data.postRun}
 101               fi
 102
 103               chmod ${fileMode} *.pem
 104               chown '${data.user}:${data.group}' *.pem
 105             '';
 106           in
 107             lib.mkForce "+${script}";
 108
 109       }
 110     ) config.security.acme.certs //
 111     {
 112       httpdProd = lib.mkIf config.services.httpd.Prod.enable
 113         { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
 114       httpdTools = lib.mkIf config.services.httpd.Tools.enable
 115         { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
 116       httpdInte = lib.mkIf config.services.httpd.Inte.enable
 117         { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
 118     };
 119   };
 120 }