modules/private/certificates.nix

   1 { lib, pkgs, config, name, ... }:
   2 {
   3   options.myServices.certificates = {
   4     enable = lib.mkEnableOption "enable certificates";
   5     certConfig = lib.mkOption {
   6       default = {
   7         webroot = "/var/lib/acme/acme-challenges";
   8         email = "ismael@bouya.org";
   9         postRun = builtins.concatStringsSep "\n" [
  10           (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
  11           (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
  12           (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
  13           (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
  14         ];
  15       };
  16       description = "Default configuration for certificates";
  17     };
  18   };
  19
  20   config = lib.mkIf config.myServices.certificates.enable {
  21     services.duplyBackup.profiles.system.excludeFile = ''
  22       + /var/lib/acme/acme-challenges
  23       '';
  24     services.nginx = {
  25       recommendedTlsSettings = true;
  26       virtualHosts = {
  27         "${config.hostEnv.fqdn}" = {
  28           acmeRoot = config.security.acme.certs."${name}".webroot;
  29           useACMEHost = name;
  30           forceSSL = true;
  31         };
  32       };
  33     };
  34     services.websites.certs = config.myServices.certificates.certConfig;
  35     myServices.databasesCerts = config.myServices.certificates.certConfig;
  36     myServices.ircCerts = config.myServices.certificates.certConfig;
  37
  38     security.acme.acceptTerms = true;
  39     security.acme.preliminarySelfsigned = true;
  40
  41     security.acme.certs = {
  42       "${name}" = config.myServices.certificates.certConfig // {
  43         domain = config.hostEnv.fqdn;
  44       };
  45     };
  46
  47     systemd.services = lib.attrsets.mapAttrs' (k: v:
  48       lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
  49           wantedBy = [ "acme-selfsigned-certificates.target" ];
  50           script = lib.mkAfter ''
  51           cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
  52           chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
  53           chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
  54
  55           cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
  56           chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
  57           chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
  58           '';
  59         }
  60       ) config.security.acme.certs //
  61     lib.attrsets.mapAttrs' (k: data:
  62       lib.attrsets.nameValuePair "acme-${k}" {
  63         after = lib.mkAfter [ "bind.service" ];
  64         serviceConfig.ExecStartPre =
  65           let
  66             script = pkgs.writeScript "acme-pre-start" ''
  67               #!${pkgs.runtimeShell} -e
  68               mkdir -p '${data.webroot}/.well-known/acme-challenge'
  69               chmod a+w '${data.webroot}/.well-known/acme-challenge'
  70               #doesn't work for multiple concurrent runs
  71               #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
  72             '';
  73           in
  74           "+${script}";
  75         # This is a workaround to
  76         # https://github.com/NixOS/nixpkgs/issues/84409
  77         # https://github.com/NixOS/nixpkgs/issues/84633
  78         serviceConfig.RemainAfterExit = lib.mkForce false;
  79         serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
  80         serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}";
  81         serviceConfig.ExecStartPost =
  82           let
  83             keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
  84             fileMode = if data.allowKeysForGroup then "640" else "600";
  85             spath = "/var/lib/acme/${k}/.lego";
  86             script = pkgs.writeScript "acme-post-start" ''
  87               #!${pkgs.runtimeShell} -e
  88               cd /var/lib/acme/${k}
  89
  90               # Test that existing cert is older than new cert
  91               KEY=${spath}/certificates/${keyName}.key
  92               if [ -e $KEY -a $KEY -nt key.pem ]; then
  93                 cp -p ${spath}/certificates/${keyName}.key key.pem
  94                 cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
  95                 cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
  96                 ln -sf fullchain.pem cert.pem
  97                 cat key.pem fullchain.pem > full.pem
  98
  99                 ${data.postRun}
 100               fi
 101
 102               chmod ${fileMode} *.pem
 103               chown '${data.user}:${data.group}' *.pem
 104             '';
 105           in
 106             lib.mkForce "+${script}";
 107
 108       }
 109     ) config.security.acme.certs //
 110     {
 111       httpdProd = lib.mkIf config.services.httpd.Prod.enable
 112         { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
 113       httpdTools = lib.mkIf config.services.httpd.Tools.enable
 114         { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
 115       httpdInte = lib.mkIf config.services.httpd.Inte.enable
 116         { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
 117     };
 118   };
 119 }