]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - modules/private/certificates.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Upgrade to latest nixos
[perso/Immae/Config/Nix.git] / modules / private / certificates.nix
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 2e40b3cd7a7f27f2febb40ef2075a310036173a8..bbe4c3bbf1c093510aed37622d30aa149ab3729b 100644 (file)
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -1,52 +1,120 @@
-{ lib, pkgs, config,  ... }:
+{ lib, pkgs, config, name, ... }:
 {
-  options.services.myCertificates = {
+  options.myServices.certificates = {
+    enable = lib.mkEnableOption "enable certificates";
     certConfig = lib.mkOption {
       default = {
-        webroot = "${config.security.acme.directory}/acme-challenge";
+        webroot = "/var/lib/acme/acme-challenges";
         email = "ismael@bouya.org";
-        postRun = ''
-          systemctl reload httpdTools.service httpdInte.service httpdProd.service
-        '';
-        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
+        postRun = builtins.concatStringsSep "\n" [
+          (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
+          (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
+          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
+          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
+        ];
+        extraLegoRenewFlags = [ "--reuse-key" ];
       };
       description = "Default configuration for certificates";
     };
   };
 
-  config = {
-    services.websites.certs = config.services.myCertificates.certConfig;
-    myServices.databasesCerts = config.services.myCertificates.certConfig;
-    myServices.ircCerts = config.services.myCertificates.certConfig;
+  config = lib.mkIf config.myServices.certificates.enable {
+    services.duplyBackup.profiles.system.excludeFile = ''
+      + /var/lib/acme/acme-challenges
+      '';
+    services.nginx = {
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "${config.hostEnv.fqdn}" = {
+          acmeRoot = config.security.acme.certs."${name}".webroot;
+          useACMEHost = name;
+          forceSSL = true;
+        };
+      };
+    };
+    services.websites.certs = config.myServices.certificates.certConfig;
+    myServices.databasesCerts = config.myServices.certificates.certConfig;
+    myServices.ircCerts = config.myServices.certificates.certConfig;
 
+    security.acme.acceptTerms = true;
     security.acme.preliminarySelfsigned = true;
 
     security.acme.certs = {
-      "eldiron" = config.services.myCertificates.certConfig // {
-        domain = "eldiron.immae.eu";
+      "${name}" = config.myServices.certificates.certConfig // {
+        domain = config.hostEnv.fqdn;
       };
     };
 
     systemd.services = lib.attrsets.mapAttrs' (k: v:
-      lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
-        (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
-        cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
-        chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
-        '') +
-        (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
-        cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
-        chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
-        '')
-      ; })
-    ) config.security.acme.certs // {
-      httpdProd.after = [ "acme-selfsigned-certificates.target" ];
-      httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
-      httpdTools.after = [ "acme-selfsigned-certificates.target" ];
-      httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
-      httpdInte.after = [ "acme-selfsigned-certificates.target" ];
-      httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
+      lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
+          wantedBy = [ "acme-selfsigned-certificates.target" ];
+          script = lib.mkAfter ''
+          cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
+          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
+          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
+
+          cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
+          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
+          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
+          '';
+        }
+      ) config.security.acme.certs //
+    lib.attrsets.mapAttrs' (k: data:
+      lib.attrsets.nameValuePair "acme-${k}" {
+        after = lib.mkAfter [ "bind.service" ];
+        serviceConfig.ExecStartPre =
+          let
+            script = pkgs.writeScript "acme-pre-start" ''
+              #!${pkgs.runtimeShell} -e
+              mkdir -p '${data.webroot}/.well-known/acme-challenge'
+              chmod a+w '${data.webroot}/.well-known/acme-challenge'
+              #doesn't work for multiple concurrent runs
+              #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
+            '';
+          in
+          "+${script}";
+        # This is a workaround to
+        # https://github.com/NixOS/nixpkgs/issues/84409
+        # https://github.com/NixOS/nixpkgs/issues/84633
+        serviceConfig.RemainAfterExit = lib.mkForce false;
+        serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
+        serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k} acme/.lego/${k} acme/.lego/accounts";
+        serviceConfig.ExecStartPost =
+          let
+            keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
+            fileMode = if data.allowKeysForGroup then "640" else "600";
+            spath = "/var/lib/acme/${k}/.lego";
+            script = pkgs.writeScript "acme-post-start" ''
+              #!${pkgs.runtimeShell} -e
+              cd /var/lib/acme/${k}
+
+              # Test that existing cert is older than new cert
+              KEY=${spath}/certificates/${keyName}.key
+              if [ -e $KEY -a $KEY -nt key.pem ]; then
+                cp -p ${spath}/certificates/${keyName}.key key.pem
+                cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
+                cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
+                ln -sf fullchain.pem cert.pem
+                cat key.pem fullchain.pem > full.pem
+
+                ${data.postRun}
+              fi
+
+              chmod ${fileMode} *.pem
+              chown '${data.user}:${data.group}' *.pem
+            '';
+          in
+            lib.mkForce "+${script}";
+
+      }
+    ) config.security.acme.certs //
+    {
+      httpdProd = lib.mkIf config.services.httpd.Prod.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+      httpdTools = lib.mkIf config.services.httpd.Tools.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+      httpdInte = lib.mkIf config.services.httpd.Inte.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
     };
   };
 }
My infrastructure configuration