Upgrade acme bot

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-01-15 20:41:19 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-04-25 00:04:41 +0200
commit: 0540384561541f94435ad0f6e268e6989fb1d37a (patch)
tree: 7e8c8b06f6039073dd2d2e648d11b3dba77e63df
parent: 13cf2ab3521b5abeea0ee723d4657d667c666f32 (diff)
download: NUR-0540384561541f94435ad0f6e268e6989fb1d37a.tar.gz
NUR-0540384561541f94435ad0f6e268e6989fb1d37a.tar.zst
NUR-0540384561541f94435ad0f6e268e6989fb1d37a.zip
6 files changed, 446 insertions, 5 deletions
diff --git a/modules/acme2.nix b/modules/acme2.nix
new file mode 100644
index 00000000..408c098e
--- /dev/null
+++ b/modules/acme2.nix
@@ -0,0 +1,340 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.security.acme2;
+  certOpts = { name, ... }: {
+    options = {
+      webroot = mkOption {
+        type = types.str;
+        example = "/var/lib/acme/acme-challenges";
+        description = ''
+          Where the webroot of the HTTP vhost is located.
+          <filename>.well-known/acme-challenge/</filename> directory
+          will be created below the webroot if it doesn't exist.
+          <literal>http://example.org/.well-known/acme-challenge/</literal> must also
+          be available (notice unencrypted HTTP).
+        '';
+      };
+      server = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          ACME Directory Resource URI. Defaults to let's encrypt
+          production endpoint,
+          https://acme-v02.api.letsencrypt.org/directory, if unset.
+        '';
+      };
+      domain = mkOption {
+        type = types.str;
+        default = name;
+        description = "Domain to fetch certificate for (defaults to the entry name)";
+      };
+      email = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Contact email address for the CA to be able to reach you.";
+      };
+      user = mkOption {
+        type = types.str;
+        default = "root";
+        description = "User running the ACME client.";
+      };
+      group = mkOption {
+        type = types.str;
+        default = "root";
+        description = "Group running the ACME client.";
+      };
+      allowKeysForGroup = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Give read permissions to the specified group
+          (<option>security.acme2.cert.&lt;name&gt;.group</option>) to read SSL private certificates.
+        '';
+      };
+      postRun = mkOption {
+        type = types.lines;
+        default = "";
+        example = "systemctl reload nginx.service";
+        description = ''
+          Commands to run after new certificates go live. Typically
+          the web server and other servers using certificates need to
+          be reloaded.
+          Executed in the same directory with the new certificate.
+        '';
+      };
+      plugins = mkOption {
+        type = types.listOf (types.enum [
+          "cert.der" "cert.pem" "chain.pem" "external.sh"
+          "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "account_reg.json"
+        ]);
+        default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ];
+        description = ''
+          Plugins to enable. With default settings simp_le will
+          store public certificate bundle in <filename>fullchain.pem</filename>,
+          private key in <filename>key.pem</filename> and those two previous
+          files combined in <filename>full.pem</filename> in its state directory.
+        '';
+      };
+      directory = mkOption {
+        type = types.str;
+        readOnly = true;
+        default = "/var/lib/acme/${name}";
+        description = "Directory where certificate and other state is stored.";
+      };
+      extraDomains = mkOption {
+        type = types.attrsOf (types.nullOr types.str);
+        default = {};
+        example = literalExample ''
+          {
+            "example.org" = "/srv/http/nginx";
+            "mydomain.org" = null;
+          }
+        '';
+        description = ''
+          A list of extra domain names, which are included in the one certificate to be issued, with their
+          own server roots if needed.
+        '';
+      };
+    };
+  };
+in
+{
+  ###### interface
+  imports = [
+    (mkRemovedOptionModule [ "security" "acme2" "production" ] ''
+      Use security.acme2.server to define your staging ACME server URL instead.
+      To use the let's encrypt staging server, use security.acme2.server =
+      "https://acme-staging-v02.api.letsencrypt.org/directory".
+    ''
+    )
+    (mkRemovedOptionModule [ "security" "acme2" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
+    (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
+    (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
+  ];
+  options = {
+    security.acme2 = {
+      validMin = mkOption {
+        type = types.int;
+        default = 30 * 24 * 3600;
+        description = "Minimum remaining validity before renewal in seconds.";
+      };
+      renewInterval = mkOption {
+        type = types.str;
+        default = "weekly";
+        description = ''
+          Systemd calendar expression when to check for renewal. See
+          <citerefentry><refentrytitle>systemd.time</refentrytitle>
+          <manvolnum>7</manvolnum></citerefentry>.
+        '';
+      };
+      server = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          ACME Directory Resource URI. Defaults to let's encrypt
+          production endpoint,
+          <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset.
+        '';
+      };
+      preliminarySelfsigned = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether a preliminary self-signed certificate should be generated before
+          doing ACME requests. This can be useful when certificates are required in
+          a webserver, but ACME needs the webserver to make its requests.
+          With preliminary self-signed certificate the webserver can be started and
+          can later reload the correct ACME certificates.
+        '';
+      };
+      certs = mkOption {
+        default = { };
+        type = with types; attrsOf (submodule certOpts);
+        description = ''
+          Attribute set of certificates to get signed and renewed. Creates
+          <literal>acme-''${cert}.{service,timer}</literal> systemd units for
+          each certificate defined here. Other services can add dependencies
+          to those units if they rely on the certificates being present,
+          or trigger restarts of the service if certificates get renewed.
+        '';
+        example = literalExample ''
+          {
+            "example.com" = {
+              webroot = "/var/www/challenges/";
+              email = "foo@example.com";
+              extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
+            };
+            "bar.example.com" = {
+              webroot = "/var/www/challenges/";
+              email = "bar@example.com";
+            };
+          }
+        '';
+      };
+    };
+  };
+  ###### implementation
+  config = mkMerge [
+    (mkIf (cfg.certs != { }) {
+      systemd.services = let
+          services = concatLists servicesLists;
+          servicesLists = mapAttrsToList certToServices cfg.certs;
+          certToServices = cert: data:
+              let
+                lpath = "acme/${cert}";
+                rights = if data.allowKeysForGroup then "750" else "700";
+                cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
+                          ++ optionals (data.email != null) [ "--email" data.email ]
+                          ++ concatMap (p: [ "-f" p ]) data.plugins
+                          ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)
+                          ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
+                acmeService = {
+                  description = "Renew ACME Certificate for ${cert}";
+                  after = [ "network.target" "network-online.target" ];
+                  wants = [ "network-online.target" ];
+                  # simp_le uses requests, which uses certifi under the hood,
+                  # which doesn't respect the system trust store.
+                  # At least in the acme test, we provision a fake CA, impersonating the LE endpoint.
+                  # REQUESTS_CA_BUNDLE is a way to teach python requests to use something else
+                  environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";
+                  serviceConfig = {
+                    Type = "oneshot";
+                    # With RemainAfterExit the service is considered active even
+                    # after the main process having exited, which means when it
+                    # gets changed, the activation phase restarts it, meaning
+                    # the permissions of the StateDirectory get adjusted
+                    # according to the specified group
+                    RemainAfterExit = true;
+                    SuccessExitStatus = [ "0" "1" ];
+                    User = data.user;
+                    Group = data.group;
+                    PrivateTmp = true;
+                    StateDirectory = lpath;
+                    StateDirectoryMode = rights;
+                    WorkingDirectory = "/var/lib/${lpath}";
+                    ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}";
+                    ExecStartPost =
+                      let
+                        script = pkgs.writeScript "acme-post-start" ''
+                          #!${pkgs.runtimeShell} -e
+                          ${data.postRun}
+                        '';
+                      in
+                        "+${script}";
+                  };
+                };
+                selfsignedService = {
+                  description = "Create preliminary self-signed certificate for ${cert}";
+                  path = [ pkgs.openssl ];
+                  script =
+                    ''
+                      workdir="$(mktemp -d)"
+                      # Create CA
+                      openssl genrsa -des3 -passout pass:xxxx -out $workdir/ca.pass.key 2048
+                      openssl rsa -passin pass:xxxx -in $workdir/ca.pass.key -out $workdir/ca.key
+                      openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \
+                        -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com"
+                      openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt
+                      # Create key
+                      openssl genrsa -des3 -passout pass:xxxx -out $workdir/server.pass.key 2048
+                      openssl rsa -passin pass:xxxx -in $workdir/server.pass.key -out $workdir/server.key
+                      openssl req -new -key $workdir/server.key -out $workdir/server.csr \
+                        -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
+                      openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \
+                        -CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \
+                        -out $workdir/server.crt
+                      # Copy key to destination
+                      cp $workdir/server.key /var/lib/${lpath}/key.pem
+                      # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates)
+                      cat $workdir/{server.crt,ca.crt} > "/var/lib/${lpath}/fullchain.pem"
+                      # Create full.pem for e.g. lighttpd
+                      cat $workdir/{server.key,server.crt,ca.crt} > "/var/lib/${lpath}/full.pem"
+                      # Give key acme permissions
+                      chown '${data.user}:${data.group}' "/var/lib/${lpath}/"{key,fullchain,full}.pem
+                      chmod ${rights} "/var/lib/${lpath}/"{key,fullchain,full}.pem
+                    '';
+                  serviceConfig = {
+                    Type = "oneshot";
+                    PrivateTmp = true;
+                    StateDirectory = lpath;
+                    User = data.user;
+                    Group = data.group;
+                  };
+                  unitConfig = {
+                    # Do not create self-signed key when key already exists
+                    ConditionPathExists = "!/var/lib/${lpath}/key.pem";
+                  };
+                };
+              in (
+                [ { name = "acme-${cert}"; value = acmeService; } ]
+                ++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; }
+              );
+          servicesAttr = listToAttrs services;
+        in
+          servicesAttr;
+      systemd.tmpfiles.rules =
+        flip mapAttrsToList cfg.certs
+        (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");
+      systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
+        ("acme-${cert}")
+        ({
+          description = "Renew ACME Certificate for ${cert}";
+          wantedBy = [ "timers.target" ];
+          timerConfig = {
+            OnCalendar = cfg.renewInterval;
+            Unit = "acme-${cert}.service";
+            Persistent = "yes";
+            AccuracySec = "5m";
+            RandomizedDelaySec = "1h";
+          };
+        })
+      );
+      systemd.targets.acme-selfsigned-certificates = mkIf cfg.preliminarySelfsigned {};
+      systemd.targets.acme-certificates = {};
+    })
+  ];
+  meta = {
+    maintainers = with lib.maintainers; [ abbradar fpletz globin ];
+    #doc = ./acme.xml;
+  };
+}
diff --git a/modules/default.nix b/modules/default.nix
index 9ff6ea62..98dc77d8 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -19,4 +19,5 @@
  php-application = ./websites/php-application.nix;
  websites = ./websites;
+  acme2 = ./acme2.nix;
 } // (if builtins.pathExists ./private then import ./private else {})
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index 6ba0d687..e69080e9 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -149,7 +149,7 @@ in
      serverAliases = [ "*" ];
      enableSSL = false;
      logFormat = "combinedVhost";
-      documentRoot = "${config.security.acme.directory}/acme-challenge";
+      documentRoot = "/var/lib/acme/acme-challenge";
      extraConfig = ''
        RewriteEngine on
        RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
@@ -178,9 +178,9 @@ in
    };
    toVhost = ips: vhostConf: {
      enableSSL = true;
-      sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
+      sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem";
-      sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
+      sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem";
-      sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
+      sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem";
      logFormat = "combinedVhost";
      listen = map (ip: { inherit ip; port = 443; }) ips;
      hostName = builtins.head vhostConf.hosts;
@@ -223,7 +223,7 @@ in
    }
  ) cfg.env;
-  config.security.acme.certs = let
+  config.security.acme2.certs = let
    typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;
    flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
      attrValues v.vhostConfs
diff --git a/pkgs/certbot/default.nix b/pkgs/certbot/default.nix
new file mode 100644
index 00000000..8fdbfd12
--- /dev/null
+++ b/pkgs/certbot/default.nix
@@ -0,0 +1,65 @@
+{ stdenv, python37Packages, fetchFromGitHub, fetchurl, dialog, autoPatchelfHook }:
+python37Packages.buildPythonApplication rec {
+  pname = "certbot";
+  version = "1.0.0";
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "180x7gcpfbrzw8k654s7b5nxdy2yg61lq513dykyn3wz4gssw465";
+  };
+  patches = [
+    ./0001-Don-t-use-distutils.StrictVersion-that-cannot-handle.patch
+  ];
+  propagatedBuildInputs = with python37Packages; [
+    ConfigArgParse
+    acme
+    configobj
+    cryptography
+    distro
+    josepy
+    parsedatetime
+    psutil
+    pyRFC3339
+    pyopenssl
+    pytz
+    six
+    zope_component
+    zope_interface
+  ];
+  buildInputs = [ dialog ] ++ (with python37Packages; [ mock gnureadline ]);
+  checkInputs = with python37Packages; [
+    pytest_xdist
+    pytest
+    dateutil
+  ];
+  postPatch = ''
+    cd certbot
+    substituteInPlace certbot/_internal/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/bin/sendmail"
+  '';
+  postInstall = ''
+    for i in $out/bin/*; do
+      wrapProgram "$i" --prefix PYTHONPATH : "$PYTHONPATH" \
+                       --prefix PATH : "${dialog}/bin:$PATH"
+    done
+  '';
+  doCheck = true;
+  meta = with stdenv.lib; {
+    homepage = src.meta.homepage;
+    description = "ACME client that can obtain certs and extensibly update server configurations";
+    platforms = platforms.unix;
+    maintainers = [ maintainers.domenkozar ];
+    license = licenses.asl20;
+  };
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 82be20e5..54868ba9 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -48,6 +48,9 @@ rec {
  naemon = callPackage ./naemon { inherit mylibs monitoring-plugins; };
  naemon-livestatus = callPackage ./naemon-livestatus { inherit mylibs naemon; };
+  simp_le_0_17 = callPackage ./simp_le {};
+  certbot = callPackage ./certbot {};
  private = if builtins.pathExists (./. + "/private")
    then import ./private { inherit pkgs; }
    else { webapps = {}; };
diff --git a/pkgs/simp_le/default.nix b/pkgs/simp_le/default.nix
new file mode 100644
index 00000000..eaefba36
--- /dev/null
+++ b/pkgs/simp_le/default.nix
@@ -0,0 +1,32 @@
+{ stdenv, python3Packages, bash }:
+python3Packages.buildPythonApplication rec {
+  pname = "simp_le-client";
+  version = "0.17.0";
+  src = python3Packages.fetchPypi {
+    inherit pname version;
+    sha256 = "0m1jynar4calaffp2zdxr5yy9vnhw2qf2hsfxwzfwf8fqb5h7bjb";
+  };
+  postPatch = ''
+    # drop upper bound of idna requirement
+    sed -ri "s/'(idna)<[^']+'/'\1'/" setup.py
+    substituteInPlace simp_le.py \
+      --replace "/bin/sh" "${bash}/bin/sh"
+  '';
+  checkPhase = ''
+    $out/bin/simp_le --test
+  '';
+  propagatedBuildInputs = with python3Packages; [ acme setuptools_scm josepy idna ];
+  meta = with stdenv.lib; {
+    homepage = https://github.com/zenhack/simp_le;
+    description = "Simple Let's Encrypt client";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ gebner makefu ];
+    platforms = platforms.linux;
+  };
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-01-15 20:41:19 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-04-25 00:04:41 +0200
commit	0540384561541f94435ad0f6e268e6989fb1d37a (patch)
tree	7e8c8b06f6039073dd2d2e648d11b3dba77e63df
parent	13cf2ab3521b5abeea0ee723d4657d667c666f32 (diff)
download	NUR-0540384561541f94435ad0f6e268e6989fb1d37a.tar.gz NUR-0540384561541f94435ad0f6e268e6989fb1d37a.tar.zst NUR-0540384561541f94435ad0f6e268e6989fb1d37a.zip

diff --git a/modules/acme2.nix b/modules/acme2.nix new file mode 100644 index 00000000..408c098e --- /dev/null +++ b/modules/acme2.nix
@@ -0,0 +1,340 @@
		1	{ config, lib, pkgs, ... }:
		2
		3	with lib;
		4
		5	let
		6
		7	cfg = config.security.acme2;
		8
		9	certOpts = { name, ... }: {
		10	options = {
		11	webroot = mkOption {
		12	type = types.str;
		13	example = "/var/lib/acme/acme-challenges";
		14	description = ''
		15	Where the webroot of the HTTP vhost is located.
		16	<filename>.well-known/acme-challenge/</filename> directory
		17	will be created below the webroot if it doesn't exist.
		18	<literal>http://example.org/.well-known/acme-challenge/</literal> must also
		19	be available (notice unencrypted HTTP).
		20	'';
		21	};
		22
		23	server = mkOption {
		24	type = types.nullOr types.str;
		25	default = null;
		26	description = ''
		27	ACME Directory Resource URI. Defaults to let's encrypt
		28	production endpoint,
		29	https://acme-v02.api.letsencrypt.org/directory, if unset.
		30	'';
		31	};
		32
		33	domain = mkOption {
		34	type = types.str;
		35	default = name;
		36	description = "Domain to fetch certificate for (defaults to the entry name)";
		37	};
		38
		39	email = mkOption {
		40	type = types.nullOr types.str;
		41	default = null;
		42	description = "Contact email address for the CA to be able to reach you.";
		43	};
		44
		45	user = mkOption {
		46	type = types.str;
		47	default = "root";
		48	description = "User running the ACME client.";
		49	};
		50
		51	group = mkOption {
		52	type = types.str;
		53	default = "root";
		54	description = "Group running the ACME client.";
		55	};
		56
		57	allowKeysForGroup = mkOption {
		58	type = types.bool;
		59	default = false;
		60	description = ''
		61	Give read permissions to the specified group
		62	(<option>security.acme2.cert.<name>.group</option>) to read SSL private certificates.
		63	'';
		64	};
		65
		66	postRun = mkOption {
		67	type = types.lines;
		68	default = "";
		69	example = "systemctl reload nginx.service";
		70	description = ''
		71	Commands to run after new certificates go live. Typically
		72	the web server and other servers using certificates need to
		73	be reloaded.
		74
		75	Executed in the same directory with the new certificate.
		76	'';
		77	};
		78
		79	plugins = mkOption {
		80	type = types.listOf (types.enum [
		81	"cert.der" "cert.pem" "chain.pem" "external.sh"
		82	"fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "account_reg.json"
		83	]);
		84	default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ];
		85	description = ''
		86	Plugins to enable. With default settings simp_le will
		87	store public certificate bundle in <filename>fullchain.pem</filename>,
		88	private key in <filename>key.pem</filename> and those two previous
		89	files combined in <filename>full.pem</filename> in its state directory.
		90	'';
		91	};
		92
		93	directory = mkOption {
		94	type = types.str;
		95	readOnly = true;
		96	default = "/var/lib/acme/${name}";
		97	description = "Directory where certificate and other state is stored.";
		98	};
		99
		100	extraDomains = mkOption {
		101	type = types.attrsOf (types.nullOr types.str);
		102	default = {};
		103	example = literalExample ''
		104	{
		105	"example.org" = "/srv/http/nginx";
		106	"mydomain.org" = null;
		107	}
		108	'';
		109	description = ''
		110	A list of extra domain names, which are included in the one certificate to be issued, with their
		111	own server roots if needed.
		112	'';
		113	};
		114	};
		115	};
		116
		117	in
		118
		119	{
		120
		121	###### interface
		122	imports = [
		123	(mkRemovedOptionModule [ "security" "acme2" "production" ] ''
		124	Use security.acme2.server to define your staging ACME server URL instead.
		125
		126	To use the let's encrypt staging server, use security.acme2.server =
		127	"https://acme-staging-v02.api.letsencrypt.org/directory".
		128	''
		129	)
		130	(mkRemovedOptionModule [ "security" "acme2" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
		131	(mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
		132	(mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
		133	];
		134	options = {
		135	security.acme2 = {
		136
		137	validMin = mkOption {
		138	type = types.int;
		139	default = 30 * 24 * 3600;
		140	description = "Minimum remaining validity before renewal in seconds.";
		141	};
		142
		143	renewInterval = mkOption {
		144	type = types.str;
		145	default = "weekly";
		146	description = ''
		147	Systemd calendar expression when to check for renewal. See
		148	<citerefentry><refentrytitle>systemd.time</refentrytitle>
		149	<manvolnum>7</manvolnum></citerefentry>.
		150	'';
		151	};
		152
		153	server = mkOption {
		154	type = types.nullOr types.str;
		155	default = null;
		156	description = ''
		157	ACME Directory Resource URI. Defaults to let's encrypt
		158	production endpoint,
		159	<literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset.
		160	'';
		161	};
		162
		163	preliminarySelfsigned = mkOption {
		164	type = types.bool;
		165	default = true;
		166	description = ''
		167	Whether a preliminary self-signed certificate should be generated before
		168	doing ACME requests. This can be useful when certificates are required in
		169	a webserver, but ACME needs the webserver to make its requests.
		170
		171	With preliminary self-signed certificate the webserver can be started and
		172	can later reload the correct ACME certificates.
		173	'';
		174	};
		175
		176	certs = mkOption {
		177	default = { };
		178	type = with types; attrsOf (submodule certOpts);
		179	description = ''
		180	Attribute set of certificates to get signed and renewed. Creates
		181	<literal>acme-''${cert}.{service,timer}</literal> systemd units for
		182	each certificate defined here. Other services can add dependencies
		183	to those units if they rely on the certificates being present,
		184	or trigger restarts of the service if certificates get renewed.
		185	'';
		186	example = literalExample ''
		187	{
		188	"example.com" = {
		189	webroot = "/var/www/challenges/";
		190	email = "foo@example.com";
		191	extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
		192	};
		193	"bar.example.com" = {
		194	webroot = "/var/www/challenges/";
		195	email = "bar@example.com";
		196	};
		197	}
		198	'';
		199	};
		200	};
		201	};
		202
		203	###### implementation
		204	config = mkMerge [
		205	(mkIf (cfg.certs != { }) {
		206
		207	systemd.services = let
		208	services = concatLists servicesLists;
		209	servicesLists = mapAttrsToList certToServices cfg.certs;
		210	certToServices = cert: data:
		211	let
		212	lpath = "acme/${cert}";
		213	rights = if data.allowKeysForGroup then "750" else "700";
		214	cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
		215	++ optionals (data.email != null) [ "--email" data.email ]
		216	++ concatMap (p: [ "-f" p ]) data.plugins
		217	++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)
		218	++ optionals (cfg.server != null \|\| data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
		219	acmeService = {
		220	description = "Renew ACME Certificate for ${cert}";
		221	after = [ "network.target" "network-online.target" ];
		222	wants = [ "network-online.target" ];
		223	# simp_le uses requests, which uses certifi under the hood,
		224	# which doesn't respect the system trust store.
		225	# At least in the acme test, we provision a fake CA, impersonating the LE endpoint.
		226	# REQUESTS_CA_BUNDLE is a way to teach python requests to use something else
		227	environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";
		228	serviceConfig = {
		229	Type = "oneshot";
		230	# With RemainAfterExit the service is considered active even
		231	# after the main process having exited, which means when it
		232	# gets changed, the activation phase restarts it, meaning
		233	# the permissions of the StateDirectory get adjusted
		234	# according to the specified group
		235	RemainAfterExit = true;
		236	SuccessExitStatus = [ "0" "1" ];
		237	User = data.user;
		238	Group = data.group;
		239	PrivateTmp = true;
		240	StateDirectory = lpath;
		241	StateDirectoryMode = rights;
		242	WorkingDirectory = "/var/lib/${lpath}";
		243	ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}";
		244	ExecStartPost =
		245	let
		246	script = pkgs.writeScript "acme-post-start" ''
		247	#!${pkgs.runtimeShell} -e
		248	${data.postRun}
		249	'';
		250	in
		251	"+${script}";
		252	};
		253
		254	};
		255	selfsignedService = {
		256	description = "Create preliminary self-signed certificate for ${cert}";
		257	path = [ pkgs.openssl ];
		258	script =
		259	''
		260	workdir="$(mktemp -d)"
		261
		262	# Create CA
		263	openssl genrsa -des3 -passout pass:xxxx -out $workdir/ca.pass.key 2048
		264	openssl rsa -passin pass:xxxx -in $workdir/ca.pass.key -out $workdir/ca.key
		265	openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \
		266	-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com"
		267	openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt
		268
		269	# Create key
		270	openssl genrsa -des3 -passout pass:xxxx -out $workdir/server.pass.key 2048
		271	openssl rsa -passin pass:xxxx -in $workdir/server.pass.key -out $workdir/server.key
		272	openssl req -new -key $workdir/server.key -out $workdir/server.csr \
		273	-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
		274	openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \
		275	-CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \
		276	-out $workdir/server.crt
		277
		278	# Copy key to destination
		279	cp $workdir/server.key /var/lib/${lpath}/key.pem
		280
		281	# Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates)
		282	cat $workdir/{server.crt,ca.crt} > "/var/lib/${lpath}/fullchain.pem"
		283
		284	# Create full.pem for e.g. lighttpd
		285	cat $workdir/{server.key,server.crt,ca.crt} > "/var/lib/${lpath}/full.pem"
		286
		287	# Give key acme permissions
		288	chown '${data.user}:${data.group}' "/var/lib/${lpath}/"{key,fullchain,full}.pem
		289	chmod ${rights} "/var/lib/${lpath}/"{key,fullchain,full}.pem
		290	'';
		291	serviceConfig = {
		292	Type = "oneshot";
		293	PrivateTmp = true;
		294	StateDirectory = lpath;
		295	User = data.user;
		296	Group = data.group;
		297	};
		298	unitConfig = {
		299	# Do not create self-signed key when key already exists
		300	ConditionPathExists = "!/var/lib/${lpath}/key.pem";
		301	};
		302	};
		303	in (
		304	[ { name = "acme-${cert}"; value = acmeService; } ]
		305	++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; }
		306	);
		307	servicesAttr = listToAttrs services;
		308	in
		309	servicesAttr;
		310
		311	systemd.tmpfiles.rules =
		312	flip mapAttrsToList cfg.certs
		313	(cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");
		314
		315	systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
		316	("acme-${cert}")
		317	({
		318	description = "Renew ACME Certificate for ${cert}";
		319	wantedBy = [ "timers.target" ];
		320	timerConfig = {
		321	OnCalendar = cfg.renewInterval;
		322	Unit = "acme-${cert}.service";
		323	Persistent = "yes";
		324	AccuracySec = "5m";
		325	RandomizedDelaySec = "1h";
		326	};
		327	})
		328	);
		329
		330	systemd.targets.acme-selfsigned-certificates = mkIf cfg.preliminarySelfsigned {};
		331	systemd.targets.acme-certificates = {};
		332	})
		333
		334	];
		335
		336	meta = {
		337	maintainers = with lib.maintainers; [ abbradar fpletz globin ];
		338	#doc = ./acme.xml;
		339	};
		340	}


diff --git a/modules/default.nix b/modules/default.nix index 9ff6ea62..98dc77d8 100644 --- a/modules/default.nix +++ b/modules/default.nix
@@ -19,4 +19,5 @@
19		19
20	php-application = ./websites/php-application.nix;	20	php-application = ./websites/php-application.nix;
21	websites = ./websites;	21	websites = ./websites;
		22	acme2 = ./acme2.nix;
22	} // (if builtins.pathExists ./private then import ./private else {})	23	} // (if builtins.pathExists ./private then import ./private else {})


diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 6ba0d687..e69080e9 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix
@@ -149,7 +149,7 @@ in
149	serverAliases = [ "*" ];	149	serverAliases = [ "*" ];
150	enableSSL = false;	150	enableSSL = false;
151	logFormat = "combinedVhost";	151	logFormat = "combinedVhost";
152	documentRoot = "${config.security.acme.directory}/acme-challenge";	152	documentRoot = "/var/lib/acme/acme-challenge";
153	extraConfig = ''	153	extraConfig = ''
154	RewriteEngine on	154	RewriteEngine on
155	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"	155	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
@@ -178,9 +178,9 @@ in
178	};	178	};
179	toVhost = ips: vhostConf: {	179	toVhost = ips: vhostConf: {
180	enableSSL = true;	180	enableSSL = true;
181	sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";	181	sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem";
182	sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";	182	sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem";
183	sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";	183	sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem";
184	logFormat = "combinedVhost";	184	logFormat = "combinedVhost";
185	listen = map (ip: { inherit ip; port = 443; }) ips;	185	listen = map (ip: { inherit ip; port = 443; }) ips;
186	hostName = builtins.head vhostConf.hosts;	186	hostName = builtins.head vhostConf.hosts;
@@ -223,7 +223,7 @@ in
223	}	223	}
224	) cfg.env;	224	) cfg.env;
225		225
226	config.security.acme.certs = let	226	config.security.acme2.certs = let
227	typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;	227	typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;
228	flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:	228	flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
229	attrValues v.vhostConfs	229	attrValues v.vhostConfs


diff --git a/pkgs/certbot/default.nix b/pkgs/certbot/default.nix new file mode 100644 index 00000000..8fdbfd12 --- /dev/null +++ b/pkgs/certbot/default.nix
@@ -0,0 +1,65 @@
		1	{ stdenv, python37Packages, fetchFromGitHub, fetchurl, dialog, autoPatchelfHook }:
		2
		3
		4	python37Packages.buildPythonApplication rec {
		5	pname = "certbot";
		6	version = "1.0.0";
		7
		8	src = fetchFromGitHub {
		9	owner = pname;
		10	repo = pname;
		11	rev = "v${version}";
		12	sha256 = "180x7gcpfbrzw8k654s7b5nxdy2yg61lq513dykyn3wz4gssw465";
		13	};
		14
		15	patches = [
		16	./0001-Don-t-use-distutils.StrictVersion-that-cannot-handle.patch
		17	];
		18
		19	propagatedBuildInputs = with python37Packages; [
		20	ConfigArgParse
		21	acme
		22	configobj
		23	cryptography
		24	distro
		25	josepy
		26	parsedatetime
		27	psutil
		28	pyRFC3339
		29	pyopenssl
		30	pytz
		31	six
		32	zope_component
		33	zope_interface
		34	];
		35
		36	buildInputs = [ dialog ] ++ (with python37Packages; [ mock gnureadline ]);
		37
		38	checkInputs = with python37Packages; [
		39	pytest_xdist
		40	pytest
		41	dateutil
		42	];
		43
		44	postPatch = ''
		45	cd certbot
		46	substituteInPlace certbot/_internal/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/bin/sendmail"
		47	'';
		48
		49	postInstall = ''
		50	for i in $out/bin/*; do
		51	wrapProgram "$i" --prefix PYTHONPATH : "$PYTHONPATH" \
		52	--prefix PATH : "${dialog}/bin:$PATH"
		53	done
		54	'';
		55
		56	doCheck = true;
		57
		58	meta = with stdenv.lib; {
		59	homepage = src.meta.homepage;
		60	description = "ACME client that can obtain certs and extensibly update server configurations";
		61	platforms = platforms.unix;
		62	maintainers = [ maintainers.domenkozar ];
		63	license = licenses.asl20;
		64	};
		65	}


diff --git a/pkgs/default.nix b/pkgs/default.nix index 82be20e5..54868ba9 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix
@@ -48,6 +48,9 @@ rec {
48	naemon = callPackage ./naemon { inherit mylibs monitoring-plugins; };	48	naemon = callPackage ./naemon { inherit mylibs monitoring-plugins; };
49	naemon-livestatus = callPackage ./naemon-livestatus { inherit mylibs naemon; };	49	naemon-livestatus = callPackage ./naemon-livestatus { inherit mylibs naemon; };
50		50
		51	simp_le_0_17 = callPackage ./simp_le {};
		52	certbot = callPackage ./certbot {};
		53
51	private = if builtins.pathExists (./. + "/private")	54	private = if builtins.pathExists (./. + "/private")
52	then import ./private { inherit pkgs; }	55	then import ./private { inherit pkgs; }
53	else { webapps = {}; };	56	else { webapps = {}; };


diff --git a/pkgs/simp_le/default.nix b/pkgs/simp_le/default.nix new file mode 100644 index 00000000..eaefba36 --- /dev/null +++ b/pkgs/simp_le/default.nix
@@ -0,0 +1,32 @@
		1	{ stdenv, python3Packages, bash }:
		2
		3	python3Packages.buildPythonApplication rec {
		4	pname = "simp_le-client";
		5	version = "0.17.0";
		6
		7	src = python3Packages.fetchPypi {
		8	inherit pname version;
		9	sha256 = "0m1jynar4calaffp2zdxr5yy9vnhw2qf2hsfxwzfwf8fqb5h7bjb";
		10	};
		11
		12	postPatch = ''
		13	# drop upper bound of idna requirement
		14	sed -ri "s/'(idna)<[^']+'/'\1'/" setup.py
		15	substituteInPlace simp_le.py \
		16	--replace "/bin/sh" "${bash}/bin/sh"
		17	'';
		18
		19	checkPhase = ''
		20	$out/bin/simp_le --test
		21	'';
		22
		23	propagatedBuildInputs = with python3Packages; [ acme setuptools_scm josepy idna ];
		24
		25	meta = with stdenv.lib; {
		26	homepage = https://github.com/zenhack/simp_le;
		27	description = "Simple Let's Encrypt client";
		28	license = licenses.gpl3;
		29	maintainers = with maintainers; [ gebner makefu ];
		30	platforms = platforms.linux;
		31	};
		32	}