pyrox.dev / nixpkgs
lol
fork atom

nixos/acme: improve scalability - reduce superfluous unit activations

The previous setup caused all renewal units to be triggered upon
ever so slight changes in config. In larger setups (100+ certificates)
adding a new certificate caused high system load and/or large memory
consumption issues. The memory issues are already a alleviated with
the locking mechanism. However, this then causes long delays upwards
of multiple minutes depending on individual runs and also caused
superfluous activations.

In this change we streamline the overall setup of units:

1. The unit that other services can depend upon is 'acme-{cert}.service'.
We call this the 'base unit'. As this one as `RemainAfterExit` set
the `acme-finished-{cert}` targets are not required any longer.

2. We now always generate initial self-signed certificates to simplify
the dependency structure. This deprecates the `preliminarySelfsigned`
option.

3. The `acme-order-renew-{cert}` service gets activated after the base
unit and services using certificates have started and performs all acme
interactions. When it finishes others services (like web servers) will
be notified through the `reloadServices` option or they can use
`wantedBy` and `after` dependencies if they implement their own reload
units.

The renewal timer also triggers this unit.

4. The timer unit is explicitly blocked from being started by s-t-c.

5. Permission management has been cleaned up a bit: there was an
inconsistency between having the .lego files set to 600 vs 640
on the exposed side. This is unified to 640 now.

6. Exempt the account target from being restarted by s-t-c. This will
happen automatically if something relevant to the account changes.

Christian Theune 2d0a4891 dfe6a41c

options
unified split
Changed files
+381 -277
nixos
modules
security
acme
default.md
default.nix
services
networking
doh-server.nix
web-servers
apache-httpd
default.nix
caddy
default.nix
h2o
default.nix
nginx
default.nix
pomerium.nix
tests
acme
caddy.nix
default.nix
http01-builtin.nix
python-utils.py
webserver.nix
step-ca.nix
+1 -1
nixos/modules/security/acme/default.md 
···

       
318

       
318

       
 

       



     

       
319

       
319

       
 

       
  # Now you must augment OpenSMTPD's systemd service to load


     

       
320

       
320

       
 

       
  # the certificate files.


     

       
321

       

       
-

       
  systemd.services.opensmtpd.requires = [ "acme-finished-mail.example.com.target" ];


     

       

       
321

       
+

       
  systemd.services.opensmtpd.requires = [ "acme-mail.example.com.service" ];


     

       
322

       
322

       
 

       
  systemd.services.opensmtpd.serviceConfig.LoadCredential =


     

       
323

       
323

       
 

       
    let


     

       
324

       
324

       
 

       
      certDir = config.security.acme.certs."mail.example.com".directory;
+146 -137
nixos/modules/security/acme/default.nix 
···

       
160

       
160

       
 

       
  );


     

       
161

       
161

       
 

       



     

       
162

       
162

       
 

       
  # This is defined with lib.mkMerge so that we can separate the config per function.


     

       
163

       

       
-

       
  setupService = lib.mkMerge [


     

       
164

       

       
-

       
    {


     

       
165

       

       
-

       
      description = "Set up the ACME certificate renewal infrastructure";


     

       
166

       

       
-

       
      script = lib.mkBefore ''


     

       
167

       

       
-

       
        ${lib.optionalString cfg.defaults.enableDebugLogs "set -x"}


     

       
168

       

       
-

       
        set -euo pipefail


     

       
169

       

       
-

       
      '';


     

       
170

       

       
-

       
      serviceConfig = commonServiceConfig // {


     

       
171

       

       
-

       
        # This script runs with elevated privileges, denoted by the +


     

       
172

       

       
-

       
        # ExecStartPre is used instead of ExecStart so that the `script` continues to work.


     

       
173

       

       
-

       
        ExecStartPre = "+${lib.getExe privilegedSetupScript}";


     

       

       
163

       
+

       
  setupService = {


     

       

       
164

       
+

       
    description = "Set up the ACME certificate renewal infrastructure";


     

       

       
165

       
+

       
    path = [ pkgs.minica ];


     

       
174

       
166

       
 

       



     

       
175

       

       
-

       
        # We don't want this to run every time a renewal happens


     

       
176

       

       
-

       
        RemainAfterExit = true;


     

       

       
167

       
+

       
    script = lib.mkBefore ''


     

       

       
168

       
+

       
      ${lib.optionalString cfg.defaults.enableDebugLogs "set -x"}


     

       

       
169

       
+

       
      set -euo pipefail


     

       

       
170

       
+

       
      test -e ca/key.pem || minica \


     

       

       
171

       
+

       
        --ca-key ca/key.pem \


     

       

       
172

       
+

       
        --ca-cert ca/cert.pem \


     

       

       
173

       
+

       
        --domains selfsigned.local


     

       

       
174

       
+

       
    '';


     

       
177

       
175

       
 

       



     

       
178

       

       
-

       
        # StateDirectory entries are a cleaner, service-level mechanism


     

       
179

       

       
-

       
        # for dealing with persistent service data


     

       
180

       

       
-

       
        StateDirectory = [


     

       
181

       

       
-

       
          "acme"


     

       
182

       

       
-

       
          "acme/.lego"


     

       
183

       

       
-

       
          "acme/.lego/accounts"


     

       
184

       

       
-

       
        ];


     

       
185

       

       
-

       
        StateDirectoryMode = "0755";


     

       

       
176

       
+

       
    serviceConfig = commonServiceConfig // {


     

       

       
177

       
+

       
      # This script runs with elevated privileges, denoted by the +


     

       

       
178

       
+

       
      # ExecStartPre is used instead of ExecStart so that the `script` continues to work.


     

       

       
179

       
+

       
      ExecStartPre = "+${lib.getExe privilegedSetupScript}";


     

       
186

       
180

       
 

       



     

       
187

       

       
-

       
        # Creates ${lockdir}. Earlier RemainAfterExit=true means


     

       
188

       

       
-

       
        # it does not get deleted immediately.


     

       
189

       

       
-

       
        RuntimeDirectory = "acme";


     

       
190

       

       
-

       
        RuntimeDirectoryMode = "0700";


     

       

       
181

       
+

       
      # We don't want this to run every time a renewal happens


     

       

       
182

       
+

       
      RemainAfterExit = true;


     

       
191

       
183

       
 

       



     

       
192

       

       
-

       
        # Generally, we don't write anything that should be group accessible.


     

       
193

       

       
-

       
        # Group varies for most ACME units, and setup files are only used


     

       
194

       

       
-

       
        # under the acme user.


     

       
195

       

       
-

       
        UMask = "0077";


     

       
196

       

       
-

       
      };


     

       
197

       

       
-

       
    }


     

       

       
184

       
+

       
      # StateDirectory entries are a cleaner, service-level mechanism


     

       

       
185

       
+

       
      # for dealing with persistent service data


     

       

       
186

       
+

       
      StateDirectory = [


     

       

       
187

       
+

       
        "acme"


     

       

       
188

       
+

       
        "acme/.lego"


     

       

       
189

       
+

       
        "acme/.lego/accounts"


     

       

       
190

       
+

       
        "acme/.minica"


     

       

       
191

       
+

       
      ];


     

       

       
192

       
+

       
      BindPaths = "/var/lib/acme/.minica:/tmp/ca";


     

       

       
193

       
+

       
      StateDirectoryMode = "0755";


     

       
198

       
194

       
 

       



     

       
199

       

       
-

       
    # Avoid race conditions creating the CA for selfsigned certs


     

       
200

       

       
-

       
    (lib.mkIf cfg.preliminarySelfsigned {


     

       
201

       

       
-

       
      path = [ pkgs.minica ];


     

       
202

       

       
-

       
      # Working directory will be /tmp


     

       
203

       

       
-

       
      script = ''


     

       
204

       

       
-

       
        test -e ca/key.pem || minica \


     

       
205

       

       
-

       
          --ca-key ca/key.pem \


     

       
206

       

       
-

       
          --ca-cert ca/cert.pem \


     

       
207

       

       
-

       
          --domains selfsigned.local


     

       
208

       

       
-

       
      '';


     

       
209

       

       
-

       
      serviceConfig = {


     

       
210

       

       
-

       
        StateDirectory = [ "acme/.minica" ];


     

       
211

       

       
-

       
        BindPaths = "/var/lib/acme/.minica:/tmp/ca";


     

       
212

       

       
-

       
      };


     

       
213

       

       
-

       
    })


     

       
214

       

       
-

       
  ];


     

       

       
195

       
+

       
      # Creates ${lockdir}. Earlier RemainAfterExit=true means


     

       

       
196

       
+

       
      # it does not get deleted immediately.


     

       

       
197

       
+

       
      RuntimeDirectory = "acme";


     

       

       
198

       
+

       
      RuntimeDirectoryMode = "0700";


     

       

       
199

       
+

       



     

       

       
200

       
+

       
      # Generally, we don't write anything that should be group accessible.


     

       

       
201

       
+

       
      # Group varies for most ACME units, and setup files are only used


     

       

       
202

       
+

       
      # under the acme user.


     

       

       
203

       
+

       
      UMask = "0077";


     

       

       
204

       
+

       
    };


     

       

       
205

       
+

       
  };


     

       
215

       
206

       
 

       



     

       
216

       
207

       
 

       
  certToConfig =


     

       
217

       
208

       
 

       
    cert: data:


     
···

       
219

       
210

       
 

       
      acmeServer = data.server;


     

       
220

       
211

       
 

       
      useDns = data.dnsProvider != null;


     

       
221

       
212

       
 

       
      destPath = "/var/lib/acme/${cert}";


     

       
222

       

       
-

       
      selfsignedDeps = lib.optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];


     

       
223

       
213

       
 

       



     

       
224

       
214

       
 

       
      # Minica and lego have a "feature" which replaces * with _. We need


     

       
225

       
215

       
 

       
      # to make this substitution to reference the output files from both programs.


     
···

       
339

       
329

       
 

       
      certificateKey = if data.csrKey != null then "${data.csrKey}" else "certificates/${keyName}.key";


     

       
340

       
330

       
 

       
    in


     

       
341

       
331

       
 

       
    {


     

       
342

       

       
-

       
      inherit accountHash cert selfsignedDeps;


     

       

       
332

       
+

       
      inherit accountHash cert;


     

       
343

       
333

       
 

       



     

       
344

       
334

       
 

       
      group = data.group;


     

       
345

       
335

       
 

       



     

       
346

       
336

       
 

       
      renewTimer = {


     

       
347

       
337

       
 

       
        description = "Renew ACME Certificate for ${cert}";


     

       
348

       
338

       
 

       
        wantedBy = [ "timers.target" ];


     

       

       
339

       
+

       
        # Avoid triggering certificate renewals accidentally when running s-t-c.


     

       

       
340

       
+

       
        unitConfig."X-OnlyManualStart" = true;


     

       
349

       
341

       
 

       
        timerConfig = {


     

       
350

       
342

       
 

       
          OnCalendar = data.renewInterval;


     

       
351

       

       
-

       
          Unit = "acme-${cert}.service";


     

       

       
343

       
+

       
          Unit = "acme-order-renew-${cert}.service";


     

       
352

       
344

       
 

       
          Persistent = "yes";


     

       
353

       
345

       
 

       



     

       
354

       
346

       
 

       
          # Allow systemd to pick a convenient time within the day


     
···

       
364

       
356

       
 

       
        };


     

       
365

       
357

       
 

       
      };


     

       
366

       
358

       
 

       



     

       
367

       

       
-

       
      selfsignService = lockfileName: {


     

       
368

       

       
-

       
        description = "Generate self-signed certificate for ${cert}";


     

       

       
359

       
+

       
      baseService = lockfileName: {


     

       

       
360

       
+

       
        description = "Ensure certificate for ${cert}";


     

       

       
361

       
+

       



     

       

       
362

       
+

       
        wantedBy = [ "multi-user.target" ];


     

       

       
363

       
+

       



     

       
369

       
364

       
 

       
        after = [ "acme-setup.service" ];


     

       
370

       

       
-

       
        requires = [ "acme-setup.service" ];


     

       

       
365

       
+

       



     

       

       
366

       
+

       
        # Whenever this service starts (on boot, through dependencies, through


     

       

       
367

       
+

       
        # changes) we trigger the acme-order-renew service to give it a chance


     

       

       
368

       
+

       
        # to catch up with the potentially changed config.


     

       

       
369

       
+

       
        wants = [


     

       

       
370

       
+

       
          "acme-setup.service"


     

       

       
371

       
+

       
          "acme-order-renew-${cert}.service"


     

       

       
372

       
+

       
        ];


     

       

       
373

       
+

       
        before = [ "acme-order-renew-${cert}.service" ];


     

       

       
374

       
+

       



     

       

       
375

       
+

       
        restartTriggers = [


     

       

       
376

       
+

       
          config.systemd.services."acme-order-renew-${cert}".script


     

       

       
377

       
+

       
        ];


     

       
371

       
378

       
 

       



     

       
372

       
379

       
 

       
        path = [ pkgs.minica ];


     

       
373

       
380

       
 

       



     

       
374

       
381

       
 

       
        unitConfig = {


     

       
375

       

       
-

       
          ConditionPathExists = "!/var/lib/acme/${cert}/key.pem";


     

       
376

       
382

       
 

       
          StartLimitIntervalSec = 0;


     

       
377

       
383

       
 

       
        };


     

       
378

       
384

       
 

       



     
···

       
380

       
386

       
 

       
          Group = data.group;


     

       
381

       
387

       
 

       
          UMask = "0027";


     

       
382

       
388

       
 

       



     

       

       
389

       
+

       
          RemainAfterExit = true;


     

       

       
390

       
+

       



     

       
383

       
391

       
 

       
          StateDirectory = "acme/${cert}";


     

       
384

       
392

       
 

       



     

       
385

       
393

       
 

       
          BindPaths = [


     

       
386

       
394

       
 

       
            "/var/lib/acme/.minica:/tmp/ca"


     

       
387

       

       
-

       
            "/var/lib/acme/${cert}:/tmp/${keyName}"


     

       

       
395

       
+

       
            "/var/lib/acme/${cert}:/tmp/out"


     

       
388

       
396

       
 

       
          ];


     

       
389

       
397

       
 

       
        };


     

       
390

       
398

       
 

       



     
···

       
392

       
400

       
 

       
        # minica will output to a folder sharing the name of the first domain


     

       
393

       
401

       
 

       
        # in the list, which will be ${data.domain}


     

       
394

       
402

       
 

       
        script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") ''


     

       

       
403

       
+

       
          set -ex


     

       

       
404

       
+

       



     

       

       
405

       
+

       
          # Regenerate self-signed certificates (in case the SANs change) until we


     

       

       
406

       
+

       
          # have seen a succesfull ACME certificate at least once.


     

       

       
407

       
+

       
          if [ -e out/acme-success ]; then


     

       

       
408

       
+

       
            exit 0


     

       

       
409

       
+

       
          fi


     

       

       
410

       
+

       



     

       
395

       
411

       
 

       
          minica \


     

       
396

       
412

       
 

       
            --ca-key ca/key.pem \


     

       
397

       
413

       
 

       
            --ca-cert ca/cert.pem \


     

       
398

       
414

       
 

       
            --domains ${lib.escapeShellArg (builtins.concatStringsSep "," ([ data.domain ] ++ extraDomains))}


     

       
399

       
415

       
 

       



     

       
400

       
416

       
 

       
          # Create files to match directory layout for real certificates


     

       
401

       

       
-

       
          cd '${keyName}'


     

       
402

       

       
-

       
          cp ../ca/cert.pem chain.pem


     

       
403

       

       
-

       
          cat cert.pem chain.pem > fullchain.pem


     

       
404

       

       
-

       
          cat key.pem fullchain.pem > full.pem


     

       

       
417

       
+

       
          (


     

       

       
418

       
+

       
            cd '${keyName}'


     

       

       
419

       
+

       
            cp -vp cert.pem ../out/cert.pem


     

       

       
420

       
+

       
            cp -vp key.pem ../out/key.pem


     

       

       
421

       
+

       
          )


     

       

       
422

       
+

       
          cat out/cert.pem ca/cert.pem > out/fullchain.pem


     

       

       
423

       
+

       
          cp ca/cert.pem out/chain.pem


     

       

       
424

       
+

       
          cat out/key.pem out/fullchain.pem > out/full.pem


     

       
405

       
425

       
 

       



     

       
406

       

       
-

       
          # Group might change between runs, re-apply it


     

       
407

       

       
-

       
          chown '${user}:${data.group}' -- *


     

       

       
426

       
+

       
          # Fix up the output files to adhere to the group and


     

       

       
427

       
+

       
          # have consistent permissions. This needs to be kept


     

       

       
428

       
+

       
          # consistent with the acme-setup script above.


     

       

       
429

       
+

       
          for fixpath in out certificates; do


     

       

       
430

       
+

       
            if [ -d "$fixpath" ]; then


     

       

       
431

       
+

       
              chmod -R u=rwX,g=rX,o= "$fixpath"


     

       

       
432

       
+

       
              chown -R ${user}:${data.group} "$fixpath"


     

       

       
433

       
+

       
            fi


     

       

       
434

       
+

       
          done


     

       
408

       
435

       
 

       



     

       
409

       

       
-

       
          # Default permissions make the files unreadable by group + anon


     

       
410

       

       
-

       
          # Need to be readable by group


     

       
411

       

       
-

       
          chmod 640 -- *


     

       

       
436

       
+

       
          ${lib.optionalString (data.webroot != null) ''


     

       

       
437

       
+

       
            # Ensure the webroot exists. Fixing group is required in case configuration was changed between runs.


     

       

       
438

       
+

       
            # Lego will fail if the webroot does not exist at all.


     

       

       
439

       
+

       
            (


     

       

       
440

       
+

       
              mkdir -p '${data.webroot}/.well-known/acme-challenge' \


     

       

       
441

       
+

       
              && chgrp '${data.group}' ${data.webroot}/.well-known/acme-challenge


     

       

       
442

       
+

       
            ) || (


     

       

       
443

       
+

       
              echo 'Please ensure ${data.webroot}/.well-known/acme-challenge exists and is writable by acme:${data.group}' \


     

       

       
444

       
+

       
              && exit 1


     

       

       
445

       
+

       
            )


     

       

       
446

       
+

       
          ''}


     

       
412

       
447

       
 

       
        '';


     

       
413

       
448

       
 

       
      };


     

       
414

       
449

       
 

       



     

       
415

       

       
-

       
      renewService = lockfileName: {


     

       
416

       

       
-

       
        description = "Renew ACME certificate for ${cert}";


     

       

       
450

       
+

       
      orderRenewService = lockfileName: {


     

       

       
451

       
+

       
        description = "Order (and renew) ACME certificate for ${cert}";


     

       
417

       
452

       
 

       
        after = [


     

       
418

       
453

       
 

       
          "network.target"


     

       
419

       
454

       
 

       
          "network-online.target"


     

       
420

       
455

       
 

       
          "acme-setup.service"


     

       
421

       
456

       
 

       
          "nss-lookup.target"


     

       
422

       

       
-

       
        ]


     

       
423

       

       
-

       
        ++ selfsignedDeps;


     

       
424

       

       
-

       
        wants = [ "network-online.target" ] ++ selfsignedDeps;


     

       
425

       

       
-

       
        requires = [ "acme-setup.service" ];


     

       
426

       

       
-

       



     

       
427

       

       
-

       
        # https://github.com/NixOS/nixpkgs/pull/81371#issuecomment-605526099


     

       
428

       

       
-

       
        wantedBy = lib.optionals (!config.boot.isContainer) [ "multi-user.target" ];


     

       

       
457

       
+

       
          "acme-${cert}.service"


     

       

       
458

       
+

       
        ];


     

       

       
459

       
+

       
        wants = [


     

       

       
460

       
+

       
          "network-online.target"


     

       

       
461

       
+

       
          "acme-setup.service"


     

       

       
462

       
+

       
          "acme-${cert}.service"


     

       

       
463

       
+

       
        ];


     

       

       
464

       
+

       
        # Ensure that certificates are generated if people use `security.acme.certs`


     

       

       
465

       
+

       
        # without having/declaring other systemd units that depend on the cert.


     

       
429

       
466

       
 

       



     

       
430

       
467

       
 

       
        path = with pkgs; [


     

       
431

       
468

       
 

       
          lego


     
···

       
523

       
560

       
 

       
            [[ $expiration_days -gt ${toString data.validMinDays} ]]


     

       
524

       
561

       
 

       
          }


     

       
525

       
562

       
 

       



     

       
526

       

       
-

       
          ${lib.optionalString (data.webroot != null) ''


     

       
527

       

       
-

       
            # Ensure the webroot exists. Fixing group is required in case configuration was changed between runs.


     

       
528

       

       
-

       
            # Lego will fail if the webroot does not exist at all.


     

       
529

       

       
-

       
            (


     

       
530

       

       
-

       
              mkdir -p '${data.webroot}/.well-known/acme-challenge' \


     

       
531

       

       
-

       
              && chgrp '${data.group}' ${data.webroot}/.well-known/acme-challenge


     

       
532

       

       
-

       
            ) || (


     

       
533

       

       
-

       
              echo 'Please ensure ${data.webroot}/.well-known/acme-challenge exists and is writable by acme:${data.group}' \


     

       
534

       

       
-

       
              && exit 1


     

       
535

       

       
-

       
            )


     

       
536

       

       
-

       
          ''}


     

       
537

       

       
-

       



     

       
538

       
563

       
 

       
          echo '${domainHash}' > domainhash.txt


     

       
539

       
564

       
 

       



     

       
540

       

       
-

       
          # Check if we can renew.


     

       

       
565

       
+

       
          # Check if a new order is needed


     

       
541

       
566

       
 

       
          # We can only renew if the list of domains has not changed.


     

       
542

       
567

       
 

       
          # We also need an account key. Avoids #190493


     

       
543

       
568

       
 

       
          if cmp -s domainhash.txt certificates/domainhash.txt && [ -e '${certificateKey}' ] && [ -e 'certificates/${keyName}.crt' ] && [ -n "$(find accounts -name '${data.email}.key')" ]; then


     

       
544

       

       
-

       



     

       
545

       
569

       
 

       
            # Even if a cert is not expired, it may be revoked by the CA.


     

       
546

       
570

       
 

       
            # Try to renew, and silently fail if the cert is not expired.


     

       
547

       
571

       
 

       
            # Avoids #85794 and resolves #129838


     
···

       
553

       
577

       
 

       
                exit 11


     

       
554

       
578

       
 

       
              fi


     

       
555

       
579

       
 

       
            fi


     

       
556

       

       
-

       



     

       
557

       

       
-

       
          # Otherwise do a full run


     

       

       
580

       
+

       
          # Do a full run


     

       
558

       
581

       
 

       
          elif ! lego ${runOpts}; then


     

       
559

       
582

       
 

       
            # Produce a nice error for those doing their first nixos-rebuild with these certs


     

       
560

       
583

       
 

       
            echo Failed to fetch certificates. \


     

       
561

       
584

       
 

       
              This may mean your DNS records are set up incorrectly. \


     

       
562

       

       
-

       
              ${lib.optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}


     

       

       
585

       
+

       
              Self-signed certs are in place and dependant services will still start.


     

       
563

       
586

       
 

       
            # Exit 10 so that users can potentially amend SuccessExitStatus to ignore this error.


     

       
564

       
587

       
 

       
            # High number to avoid Systemd reserved codes.


     

       
565

       
588

       
 

       
            exit 10


     
···

       
567

       
590

       
 

       



     

       
568

       
591

       
 

       
          mv domainhash.txt certificates/


     

       
569

       
592

       
 

       



     

       
570

       

       
-

       
          # Group might change between runs, re-apply it


     

       
571

       

       
-

       
          chown '${user}:${data.group}' certificates/*


     

       

       
593

       
+

       
          touch out/acme-success


     

       
572

       
594

       
 

       



     

       
573

       
595

       
 

       
          # Copy all certs to the "real" certs directory


     

       

       
596

       
+

       
          # lego has only an interesting subset of files available,


     

       

       
597

       
+

       
          # construct reasonably compatible files that clients can consume


     

       

       
598

       
+

       
          # as expected.


     

       
574

       
599

       
 

       
          if ! cmp -s 'certificates/${keyName}.crt' out/fullchain.pem; then


     

       
575

       
600

       
 

       
            touch out/renewed


     

       
576

       
601

       
 

       
            echo Installing new certificate


     
···

       
581

       
606

       
 

       
            cat out/key.pem out/fullchain.pem > out/full.pem


     

       
582

       
607

       
 

       
          fi


     

       
583

       
608

       
 

       



     

       
584

       

       
-

       
          # By default group will have no access to the cert files.


     

       
585

       

       
-

       
          # This chmod will fix that.


     

       
586

       

       
-

       
          chmod 640 out/*


     

       
587

       

       
-

       



     

       

       
609

       
+

       
          # Keep permissions consistent. Needs to be in sync with the other scripts.


     

       

       
610

       
+

       
          for fixpath in out certificates; do


     

       

       
611

       
+

       
            if [ -d "$fixpath" ]; then


     

       

       
612

       
+

       
              chmod -R u=rwX,g=rX,o= "$fixpath"


     

       

       
613

       
+

       
              chown -R ${user}:${data.group} "$fixpath"


     

       

       
614

       
+

       
            fi


     

       

       
615

       
+

       
          done


     

       
588

       
616

       
 

       
          # Also ensure safer permissions on the account directory.


     

       
589

       
617

       
 

       
          chmod -R u=rwX,g=,o= accounts/.


     

       
590

       
618

       
 

       
        '';


     
···

       
905

       
933

       
 

       



     

       
906

       
934

       
 

       
  options = {


     

       
907

       
935

       
 

       
    security.acme = {


     

       
908

       

       
-

       
      preliminarySelfsigned = lib.mkOption {


     

       
909

       

       
-

       
        type = lib.types.bool;


     

       
910

       

       
-

       
        default = true;


     

       
911

       

       
-

       
        description = ''


     

       
912

       

       
-

       
          Whether a preliminary self-signed certificate should be generated before


     

       
913

       

       
-

       
          doing ACME requests. This can be useful when certificates are required in


     

       
914

       

       
-

       
          a webserver, but ACME needs the webserver to make its requests.


     

       
915

       

       
-

       



     

       
916

       

       
-

       
          With preliminary self-signed certificate the webserver can be started and


     

       
917

       

       
-

       
          can later reload the correct ACME certificates.


     

       
918

       

       
-

       
        '';


     

       
919

       

       
-

       
      };


     

       
920

       

       
-

       



     

       
921

       
936

       
 

       
      acceptTerms = lib.mkOption {


     

       
922

       
937

       
 

       
        type = lib.types.bool;


     

       
923

       
938

       
 

       
        default = false;


     
···

       
1003

       
1018

       
 

       
      "ACME Directory is now hardcoded to /var/lib/acme and its permissions are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info."


     

       
1004

       
1019

       
 

       
    )


     

       
1005

       
1020

       
 

       
    (lib.mkRemovedOptionModule [ "security" "acme" "preDelay" ]


     

       
1006

       

       
-

       
      "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal"


     

       

       
1021

       
+

       
      "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service and Before=acme-\${cert}.service to the service you want to execute before the cert renewal"


     

       
1007

       
1022

       
 

       
    )


     

       
1008

       
1023

       
 

       
    (lib.mkRemovedOptionModule [ "security" "acme" "activationDelay" ]


     

       
1009

       

       
-

       
      "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal"


     

       

       
1024

       
+

       
      "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service and Before=acme-\${cert}.service to the service you want to execute before the cert renewal"


     

       

       
1025

       
+

       
    )


     

       

       
1026

       
+

       
    (lib.mkRemovedOptionModule [ "security" "acme" "preliminarySelfsigned" ]


     

       

       
1027

       
+

       
      "This option has been removed. Preliminary self-signed certificates are now always generated to simplify the dependency structure."


     

       
1010

       
1028

       
 

       
    )


     

       
1011

       
1029

       
 

       
    (lib.mkChangedOptionModule


     

       
1012

       
1030

       
 

       
      [ "security" "acme" "validMin" ]


     
···

       
1161

       
1179

       
 

       



     

       
1162

       
1180

       
 

       
      systemd.services =


     

       
1163

       
1181

       
 

       
        let


     

       
1164

       

       
-

       
          renewServiceFunctions = lib.mapAttrs' (


     

       
1165

       

       
-

       
            cert: conf: lib.nameValuePair "acme-${cert}" conf.renewService


     

       

       
1182

       
+

       
          orderRenewServiceFunctions = lib.mapAttrs' (


     

       

       
1183

       
+

       
            cert: conf: lib.nameValuePair "acme-order-renew-${cert}" conf.orderRenewService


     

       
1166

       
1184

       
 

       
          ) certConfigs;


     

       
1167

       

       
-

       
          renewServices =


     

       

       
1185

       
+

       
          orderRenewServices =


     

       
1168

       
1186

       
 

       
            if cfg.maxConcurrentRenewals > 0 then


     

       
1169

       

       
-

       
              roundRobinApplyAttrs renewServiceFunctions concurrencyLockfiles


     

       

       
1187

       
+

       
              roundRobinApplyAttrs orderRenewServiceFunctions concurrencyLockfiles


     

       
1170

       
1188

       
 

       
            else


     

       
1171

       

       
-

       
              lib.mapAttrs (_: f: f null) renewServiceFunctions;


     

       
1172

       

       
-

       
          selfsignServiceFunctions = lib.mapAttrs' (


     

       
1173

       

       
-

       
            cert: conf: lib.nameValuePair "acme-selfsigned-${cert}" conf.selfsignService


     

       

       
1189

       
+

       
              lib.mapAttrs (_: f: f null) orderRenewServiceFunctions;


     

       

       
1190

       
+

       
          baseServiceFunctions = lib.mapAttrs' (


     

       

       
1191

       
+

       
            cert: conf: lib.nameValuePair "acme-${cert}" conf.baseService


     

       
1174

       
1192

       
 

       
          ) certConfigs;


     

       
1175

       

       
-

       
          selfsignServices =


     

       

       
1193

       
+

       
          baseServices =


     

       
1176

       
1194

       
 

       
            if cfg.maxConcurrentRenewals > 0 then


     

       
1177

       

       
-

       
              roundRobinApplyAttrs selfsignServiceFunctions concurrencyLockfiles


     

       

       
1195

       
+

       
              roundRobinApplyAttrs baseServiceFunctions concurrencyLockfiles


     

       
1178

       
1196

       
 

       
            else


     

       
1179

       

       
-

       
              lib.mapAttrs (_: f: f null) selfsignServiceFunctions;


     

       

       
1197

       
+

       
              lib.mapAttrs (_: f: f null) baseServiceFunctions;


     

       
1180

       
1198

       
 

       
        in


     

       
1181

       
1199

       
 

       
        {


     

       
1182

       
1200

       
 

       
          acme-setup = setupService;


     

       
1183

       
1201

       
 

       
        }


     

       
1184

       

       
-

       
        // renewServices


     

       
1185

       

       
-

       
        // lib.optionalAttrs cfg.preliminarySelfsigned selfsignServices;


     

       

       
1202

       
+

       
        // baseServices


     

       

       
1203

       
+

       
        // orderRenewServices;


     

       
1186

       
1204

       
 

       



     

       
1187

       
1205

       
 

       
      systemd.timers = lib.mapAttrs' (


     

       
1188

       

       
-

       
        cert: conf: lib.nameValuePair "acme-${cert}" conf.renewTimer


     

       

       
1206

       
+

       
        cert: conf: lib.nameValuePair "acme-renew-${cert}" conf.renewTimer


     

       
1189

       
1207

       
 

       
      ) certConfigs;


     

       
1190

       
1208

       
 

       



     

       
1191

       
1209

       
 

       
      systemd.targets =


     

       
1192

       
1210

       
 

       
        let


     

       
1193

       

       
-

       
          # Create some targets which can be depended on to be "active" after cert renewals


     

       
1194

       

       
-

       
          finishedTargets = lib.mapAttrs' (


     

       
1195

       

       
-

       
            cert: conf:


     

       
1196

       

       
-

       
            lib.nameValuePair "acme-finished-${cert}" {


     

       
1197

       

       
-

       
              wantedBy = [ "default.target" ];


     

       
1198

       

       
-

       
              requires = [ "acme-${cert}.service" ];


     

       
1199

       

       
-

       
              after = [ "acme-${cert}.service" ];


     

       
1200

       

       
-

       
            }


     

       
1201

       

       
-

       
          ) certConfigs;


     

       
1202

       

       
-

       



     

       
1203

       
1211

       
 

       
          # Create targets to limit the number of simultaneous account creations


     

       
1204

       
1212

       
 

       
          # How it works:


     

       
1205

       
1213

       
 

       
          # - Pick a "leader" cert service, which will be in charge of creating the account,


     
···

       
1214

       
1222

       
 

       
            let


     

       
1215

       
1223

       
 

       
              dnsConfs = builtins.filter (conf: cfg.certs.${conf.cert}.dnsProvider != null) confs;


     

       
1216

       
1224

       
 

       
              leaderConf = if dnsConfs != [ ] then builtins.head dnsConfs else builtins.head confs;


     

       
1217

       

       
-

       
              leader = "acme-${leaderConf.cert}.service";


     

       
1218

       

       
-

       
              followers = map (conf: "acme-${conf.cert}.service") (


     

       

       
1225

       
+

       
              leader = "acme-order-renew-${leaderConf.cert}.service";


     

       

       
1226

       
+

       
              followers = map (conf: "acme-order-renew-${conf.cert}.service") (


     

       
1219

       
1227

       
 

       
                builtins.filter (conf: conf != leaderConf) confs


     

       
1220

       
1228

       
 

       
              );


     

       
1221

       
1229

       
 

       
            in


     
···

       
1224

       
1232

       
 

       
              before = followers;


     

       
1225

       
1233

       
 

       
              requires = [ leader ];


     

       
1226

       
1234

       
 

       
              after = [ leader ];


     

       

       
1235

       
+

       
              unitConfig.RefuseManualStart = true;


     

       
1227

       
1236

       
 

       
            }


     

       
1228

       
1237

       
 

       
          ) (lib.groupBy (conf: conf.accountHash) (lib.attrValues certConfigs));


     

       
1229

       
1238

       
 

       
        in


     

       
1230

       

       
-

       
        finishedTargets // accountTargets;


     

       

       
1239

       
+

       
        accountTargets;


     

       
1231

       
1240

       
 

       
    })


     

       
1232

       
1241

       
 

       
  ];


     

       
1233

       
1242
+1 -1
nixos/modules/services/networking/doh-server.nix 
···

       
156

       
156

       
 

       
        "network.target"


     

       
157

       
157

       
 

       
      ]


     

       
158

       
158

       
 

       
      ++ lib.optional (cfg.useACMEHost != null) "acme-${cfg.useACMEHost}.service";


     

       
159

       

       
-

       
      wants = lib.optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target";


     

       

       
159

       
+

       
      wants = lib.optional (cfg.useACMEHost != null) "acme-${cfg.useACMEHost}.service";


     

       
160

       
160

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
161

       
161

       
 

       
      serviceConfig = {


     

       
162

       
162

       
 

       
        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+7 -10
nixos/modules/services/web-servers/apache-httpd/default.nix 
···

       
48

       
48

       
 

       
  ) (filter (hostOpts: hostOpts.enableACME || hostOpts.useACMEHost != null) vhosts);


     

       
49

       
49

       
 

       



     

       
50

       
50

       
 

       
  vhostCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);


     

       
51

       

       
-

       
  dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server


     

       
52

       

       
-

       
  independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server


     

       
53

       
51

       
 

       



     

       
54

       
52

       
 

       
  mkListenInfo =


     

       
55

       
53

       
 

       
    hostOpts:


     
···

       
914

       
912

       
 

       
    systemd.services.httpd = {


     

       
915

       
913

       
 

       
      description = "Apache HTTPD";


     

       
916

       
914

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
917

       

       
-

       
      wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) vhostCertNames);


     

       

       
915

       
+

       
      wants = concatLists (map (certName: [ "acme-${certName}.service" ]) vhostCertNames);


     

       
918

       
916

       
 

       
      after = [


     

       
919

       
917

       
 

       
        "network.target"


     

       
920

       
918

       
 

       
      ]


     

       
921

       

       
-

       
      ++ map (certName: "acme-selfsigned-${certName}.service") vhostCertNames


     

       
922

       

       
-

       
      ++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa


     

       
923

       

       
-

       
      before = map (certName: "acme-${certName}.service") dependentCertNames;


     

       

       
919

       
+

       
      # Ensure httpd runs with baseline certificates in place.


     

       

       
920

       
+

       
      ++ map (certName: "acme-${certName}.service") vhostCertNames;


     

       

       
921

       
+

       
      # Ensure httpd runs (with current config) before the actual ACME jobs run


     

       

       
922

       
+

       
      before = map (certName: "acme-order-renew-${certName}.service") vhostCertNames;


     

       
924

       
923

       
 

       
      restartTriggers = [ cfg.configFile ];


     

       
925

       
924

       
 

       



     

       
926

       
925

       
 

       
      path = [


     
···

       
960

       
959

       
 

       



     

       
961

       
960

       
 

       
    # postRun hooks on cert renew can't be used to restart Apache since renewal


     

       
962

       
961

       
 

       
    # runs as the unprivileged acme user. sslTargets are added to wantedBy + before


     

       
963

       

       
-

       
    # which allows the acme-finished-$cert.target to signify the successful updating


     

       

       
962

       
+

       
    # which allows the acme-order-renew-$cert.service to signify the successful updating


     

       
964

       
963

       
 

       
    # of certs end-to-end.


     

       
965

       
964

       
 

       
    systemd.services.httpd-config-reload =


     

       
966

       
965

       
 

       
      let


     

       
967

       

       
-

       
        sslServices = map (certName: "acme-${certName}.service") vhostCertNames;


     

       
968

       

       
-

       
        sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames;


     

       

       
966

       
+

       
        sslServices = map (certName: "acme-order-renew-${certName}.service") vhostCertNames;


     

       
969

       
967

       
 

       
      in


     

       
970

       
968

       
 

       
      mkIf (vhostCertNames != [ ]) {


     

       
971

       
969

       
 

       
        wantedBy = sslServices ++ [ "multi-user.target" ];


     

       
972

       
970

       
 

       
        # Before the finished targets, after the renew services.


     

       
973

       
971

       
 

       
        # This service might be needed for HTTP-01 challenges, but we only want to confirm


     

       
974

       
972

       
 

       
        # certs are updated _after_ config has been reloaded.


     

       
975

       

       
-

       
        before = sslTargets;


     

       
976

       
973

       
 

       
        after = sslServices;


     

       
977

       
974

       
 

       
        restartTriggers = [ cfg.configFile ];


     

       
978

       
975

       
 

       
        # Block reloading if not all certs exist yet.
+4 -9
nixos/modules/services/web-servers/caddy/default.nix 
···

       
14

       
14

       
 

       
  virtualHosts = attrValues cfg.virtualHosts;


     

       
15

       
15

       
 

       
  acmeEnabledVhosts = filter (hostOpts: hostOpts.useACMEHost != null) virtualHosts;


     

       
16

       
16

       
 

       
  vhostCertNames = unique (map (hostOpts: hostOpts.useACMEHost) acmeEnabledVhosts);


     

       
17

       

       
-

       
  dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server


     

       
18

       

       
-

       
  independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server


     

       
19

       
17

       
 

       



     

       
20

       
18

       
 

       
  mkVHostConf =


     

       
21

       
19

       
 

       
    hostOpts:


     

       
22

       
20

       
 

       
    let


     

       
23

       

       
-

       
      sslCertDir = config.security.acme.certs.${hostOpts.useACMEHost}.directory;


     

       

       
21

       
+

       
      sslCertDir = certs.${hostOpts.useACMEHost}.directory;


     

       
24

       
22

       
 

       
    in


     

       
25

       
23

       
 

       
    ''


     

       
26

       
24

       
 

       
      ${hostOpts.hostName} ${concatStringsSep " " hostOpts.serverAliases} {


     
···

       
392

       
390

       
 

       
    ++ map (


     

       
393

       
391

       
 

       
      name:


     

       
394

       
392

       
 

       
      mkCertOwnershipAssertion {


     

       
395

       

       
-

       
        cert = config.security.acme.certs.${name};


     

       

       
393

       
+

       
        cert = certs.${name};


     

       
396

       
394

       
 

       
        groups = config.users.groups;


     

       
397

       
395

       
 

       
        services = [ config.systemd.services.caddy ];


     

       
398

       
396

       
 

       
      }


     
···

       
412

       
410

       
 

       



     

       
413

       
411

       
 

       
    systemd.packages = [ cfg.package ];


     

       
414

       
412

       
 

       
    systemd.services.caddy = {


     

       
415

       

       
-

       
      wants = map (certName: "acme-finished-${certName}.target") vhostCertNames;


     

       
416

       

       
-

       
      after =


     

       
417

       

       
-

       
        map (certName: "acme-selfsigned-${certName}.service") vhostCertNames


     

       
418

       

       
-

       
        ++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa


     

       
419

       

       
-

       
      before = map (certName: "acme-${certName}.service") dependentCertNames;


     

       

       
413

       
+

       
      wants = map (certName: "acme-${certName}.service") vhostCertNames;


     

       

       
414

       
+

       
      after = map (certName: "acme-${certName}.service") vhostCertNames;


     

       
420

       
415

       
 

       



     

       
421

       
416

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
422

       
417

       
 

       
      startLimitIntervalSec = 14400;
+5 -8
nixos/modules/services/web-servers/h2o/default.nix 
···

       
434

       
434

       
 

       
    systemd.services.h2o = {


     

       
435

       
435

       
 

       
      description = "H2O HTTP server";


     

       
436

       
436

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
437

       

       
-

       
      wants = lib.concatLists (map (certName: [ "acme-finished-${certName}.target" ]) acmeCertNames.all);


     

       

       
437

       
+

       
      wants = lib.concatLists (map (certName: [ "acme-${certName}.service" ]) acmeCertNames.all);


     

       
438

       
438

       
 

       
      # Since H2O will be hosting the challenges, H2O must be started


     

       
439

       

       
-

       
      before = builtins.map (certName: "acme-${certName}.service") acmeCertNames.dependent;


     

       

       
439

       
+

       
      before = builtins.map (certName: "acme-order-renew-${certName}.service") acmeCertNames.all;


     

       
440

       
440

       
 

       
      after = [


     

       
441

       
441

       
 

       
        "network.target"


     

       
442

       
442

       
 

       
      ]


     

       
443

       

       
-

       
      ++ builtins.map (certName: "acme-selfsigned-${certName}.service") acmeCertNames.all


     

       
444

       

       
-

       
      ++ builtins.map (certName: "acme-${certName}.service") acmeCertNames.independent; # avoid loading self-signed key w/ real cert, or vice-versa


     

       

       
443

       
+

       
      ++ builtins.map (certName: "acme-${certName}.service") acmeCertNames.all;


     

       
445

       
444

       
 

       



     

       
446

       
445

       
 

       
      serviceConfig = {


     

       
447

       
446

       
 

       
        ExecStart = "${h2oExe} --mode 'master'";


     
···

       
490

       
489

       
 

       



     

       
491

       
490

       
 

       
    # This service waits for all certificates to be available before reloading


     

       
492

       
491

       
 

       
    # H2O configuration. `tlsTargets` are added to `wantedBy` + `before` which


     

       
493

       

       
-

       
    # allows the `acme-finished-$cert.target` to signify the successful updating


     

       

       
492

       
+

       
    # allows the `acme-order-renew-$cert.service` to signify the successful updating


     

       
494

       
493

       
 

       
    # of certs end-to-end.


     

       
495

       
494

       
 

       
    systemd.services.h2o-config-reload =


     

       
496

       
495

       
 

       
      let


     

       
497

       

       
-

       
        tlsTargets = map (certName: "acme-${certName}.target") acmeCertNames.all;


     

       
498

       

       
-

       
        tlsServices = map (certName: "acme-${certName}.service") acmeCertNames.all;


     

       

       
496

       
+

       
        tlsServices = map (certName: "acme-order-renew-${certName}.service") acmeCertNames.all;


     

       
499

       
497

       
 

       
      in


     

       
500

       
498

       
 

       
      mkIf (acmeCertNames.all != [ ]) {


     

       
501

       
499

       
 

       
        wantedBy = tlsServices ++ [ "multi-user.target" ];


     

       
502

       

       
-

       
        before = tlsTargets;


     

       
503

       
500

       
 

       
        after = tlsServices;


     

       
504

       
501

       
 

       
        unitConfig = {


     

       
505

       
502

       
 

       
          ConditionPathExists = map (
+12 -17
nixos/modules/services/web-servers/nginx/default.nix 
···

       
15

       
15

       
 

       
    vhostConfig: vhostConfig.enableACME || vhostConfig.useACMEHost != null


     

       
16

       
16

       
 

       
  ) vhostsConfigs;


     

       
17

       
17

       
 

       
  vhostCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);


     

       
18

       

       
-

       
  dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server


     

       
19

       

       
-

       
  independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server


     

       
20

       
18

       
 

       
  virtualHosts = mapAttrs (


     

       
21

       
19

       
 

       
    vhostName: vhostConfig:


     

       
22

       
20

       
 

       
    let


     
···

       
442

       
440

       
 

       
                  auth_basic off;


     

       
443

       
441

       
 

       
                  auth_request off;


     

       
444

       
442

       
 

       
                  proxy_pass http://${vhost.acmeFallbackHost};


     

       

       
443

       
+

       
                  proxy_set_header Host $host;


     

       
445

       
444

       
 

       
                }


     

       
446

       
445

       
 

       
              ''}


     

       
447

       
446

       
 

       
            '';


     
···

       
1481

       
1480

       
 

       
    systemd.services.nginx = {


     

       
1482

       
1481

       
 

       
      description = "Nginx Web Server";


     

       
1483

       
1482

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
1484

       

       
-

       
      wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) vhostCertNames);


     

       

       
1483

       
+

       
      wants = concatLists (map (certName: [ "acme-${certName}.service" ]) vhostCertNames);


     

       
1485

       
1484

       
 

       
      after = [


     

       
1486

       
1485

       
 

       
        "network.target"


     

       
1487

       
1486

       
 

       
      ]


     

       
1488

       

       
-

       
      ++ map (certName: "acme-selfsigned-${certName}.service") vhostCertNames


     

       
1489

       

       
-

       
      ++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa


     

       
1490

       

       
-

       
      # Nginx needs to be started in order to be able to request certificates


     

       
1491

       

       
-

       
      # (it's hosting the acme challenge after all)


     

       
1492

       

       
-

       
      # This fixes https://github.com/NixOS/nixpkgs/issues/81842


     

       
1493

       

       
-

       
      before = map (certName: "acme-${certName}.service") dependentCertNames;


     

       

       
1487

       
+

       
      # Ensure nginx runs with baseline certificates in place.


     

       

       
1488

       
+

       
      ++ map (certName: "acme-${certName}.service") vhostCertNames;


     

       

       
1489

       
+

       
      # Ensure nginx runs (with current config) before the actual ACME jobs run


     

       

       
1490

       
+

       
      before = map (certName: "acme-order-renew-${certName}.service") vhostCertNames;


     

       
1494

       
1491

       
 

       
      stopIfChanged = false;


     

       
1495

       
1492

       
 

       
      preStart = ''


     

       
1496

       
1493

       
 

       
        ${cfg.preStart}


     
···

       
1585

       
1582

       
 

       
    # This service waits for all certificates to be available


     

       
1586

       
1583

       
 

       
    # before reloading nginx configuration.


     

       
1587

       
1584

       
 

       
    # sslTargets are added to wantedBy + before


     

       
1588

       

       
-

       
    # which allows the acme-finished-$cert.target to signify the successful updating


     

       

       
1585

       
+

       
    # which allows the acme-order-renew-$cert.service to signify the successful updating


     

       
1589

       
1586

       
 

       
    # of certs end-to-end.


     

       
1590

       
1587

       
 

       
    systemd.services.nginx-config-reload =


     

       
1591

       
1588

       
 

       
      let


     

       
1592

       

       
-

       
        sslServices = map (certName: "acme-${certName}.service") vhostCertNames;


     

       
1593

       

       
-

       
        sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames;


     

       

       
1589

       
+

       
        sslOrderRenewServices = map (certName: "acme-order-renew-${certName}.service") vhostCertNames;


     

       
1594

       
1590

       
 

       
      in


     

       
1595

       
1591

       
 

       
      mkIf (cfg.enableReload || vhostCertNames != [ ]) {


     

       
1596

       
1592

       
 

       
        wants = optionals cfg.enableReload [ "nginx.service" ];


     

       
1597

       

       
-

       
        wantedBy = sslServices ++ [ "multi-user.target" ];


     

       
1598

       

       
-

       
        # Before the finished targets, after the renew services.


     

       

       
1593

       
+

       
        wantedBy = sslOrderRenewServices ++ [ "multi-user.target" ];


     

       

       
1594

       
+

       
        # XXX Before the finished targets, after the renew services.


     

       
1599

       
1595

       
 

       
        # This service might be needed for HTTP-01 challenges, but we only want to confirm


     

       
1600

       
1596

       
 

       
        # certs are updated _after_ config has been reloaded.


     

       
1601

       

       
-

       
        before = sslTargets;


     

       
1602

       

       
-

       
        after = sslServices;


     

       

       
1597

       
+

       
        after = sslOrderRenewServices;


     

       
1603

       
1598

       
 

       
        restartTriggers = optionals cfg.enableReload [ configFile ];


     

       
1604

       
1599

       
 

       
        # Block reloading if not all certs exist yet.


     

       
1605

       
1600

       
 

       
        # Happens when config changes add new vhosts/certs.


     

       
1606

       
1601

       
 

       
        unitConfig = {


     

       
1607

       

       
-

       
          ConditionPathExists = optionals (sslServices != [ ]) (


     

       

       
1602

       
+

       
          ConditionPathExists = optionals (vhostCertNames != [ ]) (


     

       
1608

       
1603

       
 

       
            map (certName: certs.${certName}.directory + "/fullchain.pem") vhostCertNames


     

       
1609

       
1604

       
 

       
          );


     

       
1610

       
1605

       
 

       
          # Disable rate limiting for this, because it may be triggered quickly a bunch of times
+5 -7
nixos/modules/services/web-servers/pomerium.nix 
···

       
72

       
72

       
 

       
        wants = [


     

       
73

       
73

       
 

       
          "network.target"


     

       
74

       
74

       
 

       
        ]


     

       
75

       

       
-

       
        ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");


     

       

       
75

       
+

       
        ++ (optional (cfg.useACMEHost != null) "acme-${cfg.useACMEHost}.service");


     

       
76

       
76

       
 

       
        after = [


     

       
77

       
77

       
 

       
          "network.target"


     

       
78

       
78

       
 

       
        ]


     

       
79

       

       
-

       
        ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");


     

       

       
79

       
+

       
        ++ (optional (cfg.useACMEHost != null) "acme-${cfg.useACMEHost}.service");


     

       
80

       
80

       
 

       
        wantedBy = [ "multi-user.target" ];


     

       
81

       
81

       
 

       
        environment = optionalAttrs (cfg.useACMEHost != null) {


     

       
82

       
82

       
 

       
          CERTIFICATE_FILE = "fullchain.pem";


     
···

       
127

       
127

       
 

       



     

       
128

       
128

       
 

       
      # postRun hooks on cert renew can't be used to restart Nginx since renewal


     

       
129

       
129

       
 

       
      # runs as the unprivileged acme user. sslTargets are added to wantedBy + before


     

       
130

       

       
-

       
      # which allows the acme-finished-$cert.target to signify the successful updating


     

       

       
130

       
+

       
      # which allows the acme-order-renew-$cert.target to signify the successful updating


     

       
131

       
131

       
 

       
      # of certs end-to-end.


     

       
132

       
132

       
 

       
      systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {


     

       
133

       
133

       
 

       
        # TODO(lukegb): figure out how to make config reloading work with credentials.


     

       
134

       
134

       
 

       



     

       
135

       
135

       
 

       
        wantedBy = [


     

       
136

       

       
-

       
          "acme-finished-${cfg.useACMEHost}.target"


     

       

       
136

       
+

       
          "acme-order-renew-${cfg.useACMEHost}.service"


     

       
137

       
137

       
 

       
          "multi-user.target"


     

       
138

       
138

       
 

       
        ];


     

       
139

       

       
-

       
        # Before the finished targets, after the renew services.


     

       
140

       

       
-

       
        before = [ "acme-finished-${cfg.useACMEHost}.target" ];


     

       
141

       

       
-

       
        after = [ "acme-${cfg.useACMEHost}.service" ];


     

       

       
139

       
+

       
        after = [ "acme-order-renew-${cfg.useACMEHost}.service" ];


     

       
142

       
140

       
 

       
        # Block reloading if not all certs exist yet.


     

       
143

       
141

       
 

       
        unitConfig.ConditionPathExists = [


     

       
144

       
142

       
 

       
          "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem"
+9 -18
nixos/tests/acme/caddy.nix 
···

       
85

       
85

       
 

       
      ca_domain = "${nodes.acme.test-support.acme.caDomain}"


     

       
86

       
86

       
 

       
      fqdn = "${nodes.caddy.networking.fqdn}"


     

       
87

       
87

       
 

       



     

       

       
88

       
+

       
      with subtest("Boot and start with selfsigned certificates"):


     

       

       
89

       
+

       
          caddy.start()


     

       

       
90

       
+

       
          caddy.wait_for_unit("caddy.service")


     

       

       
91

       
+

       
          check_issuer(caddy, fqdn, "minica")


     

       

       
92

       
+

       
          # Check that the web server has picked up the selfsigned cert


     

       

       
93

       
+

       
          check_connection(caddy, fqdn, minica=True)


     

       

       
94

       
+

       



     

       
88

       
95

       
 

       
      acme.start()


     

       
89

       
96

       
 

       
      wait_for_running(acme)


     

       
90

       
97

       
 

       
      acme.wait_for_open_port(443)


     

       
91

       
98

       
 

       



     

       
92

       

       
-

       
      with subtest("Boot and acquire a new cert"):


     

       
93

       

       
-

       
          caddy.start()


     

       
94

       

       
-

       
          wait_for_running(caddy)


     

       
95

       

       
-

       



     

       

       
99

       
+

       
      with subtest("Acquire a new cert"):


     

       

       
100

       
+

       
          caddy.succeed(f"systemctl restart acme-{fqdn}.service")


     

       
96

       
101

       
 

       
          check_issuer(caddy, fqdn, "pebble")


     

       
97

       
102

       
 

       
          check_domain(caddy, fqdn, fqdn)


     

       
98

       

       
-

       



     

       
99

       
103

       
 

       
          download_ca_certs(caddy, ca_domain)


     

       
100

       

       
-

       
          check_connection(caddy, fqdn)


     

       
101

       

       
-

       



     

       
102

       

       
-

       
      with subtest("Can run on selfsigned certificates"):


     

       
103

       

       
-

       
          # Switch to selfsigned first


     

       
104

       

       
-

       
          caddy.succeed(f"systemctl clean acme-{fqdn}.service --what=state")


     

       
105

       

       
-

       
          caddy.succeed(f"systemctl start acme-selfsigned-{fqdn}.service")


     

       
106

       

       
-

       
          check_issuer(caddy, fqdn, "minica")


     

       
107

       

       
-

       
          caddy.succeed("systemctl restart caddy.service")


     

       
108

       

       
-

       
          # Check that the web server has picked up the selfsigned cert


     

       
109

       

       
-

       
          check_connection(caddy, fqdn, minica=True)


     

       
110

       

       
-

       
          caddy.succeed(f"systemctl start acme-{fqdn}.service")


     

       
111

       

       
-

       
          # This may fail a couple of times before caddy is restarted


     

       
112

       

       
-

       
          check_issuer(caddy, fqdn, "pebble")


     

       
113

       
104

       
 

       
          check_connection(caddy, fqdn)


     

       
114

       
105

       
 

       



     

       
115

       
106

       
 

       
      with subtest("security.acme changes reflect on caddy"):
+18 -4
nixos/tests/acme/default.nix 
···

       
1

       
1

       
 

       
{ runTest }:


     

       

       
2

       
+

       
let


     

       

       
3

       
+

       
  domain = "example.test";


     

       

       
4

       
+

       
in


     

       
2

       
5

       
 

       
{


     

       
3

       
6

       
 

       
  http01-builtin = runTest ./http01-builtin.nix;


     

       
4

       
7

       
 

       
  dns01 = runTest ./dns01.nix;


     

       
5

       
8

       
 

       
  caddy = runTest ./caddy.nix;


     

       
6

       
9

       
 

       
  nginx = runTest (


     

       
7

       
10

       
 

       
    import ./webserver.nix {


     

       

       
11

       
+

       
      inherit domain;


     

       
8

       
12

       
 

       
      serverName = "nginx";


     

       
9

       
13

       
 

       
      group = "nginx";


     

       
10

       
14

       
 

       
      baseModule = {


     
···

       
22

       
26

       
 

       
            addSSL = true;


     

       
23

       
27

       
 

       
            useACMEHost = "proxied.example.test";


     

       
24

       
28

       
 

       
            acmeFallbackHost = "localhost:8080";


     

       
25

       

       
-

       
            # lego will refuse the request if the host header is not correct


     

       
26

       

       
-

       
            extraConfig = ''


     

       
27

       

       
-

       
              proxy_set_header Host $host;


     

       
28

       

       
-

       
            '';


     

       
29

       
29

       
 

       
          };


     

       

       
30

       
+

       
        };


     

       

       
31

       
+

       
        specialisation.nullroot.configuration = {


     

       

       
32

       
+

       
          services.nginx.virtualHosts."nullroot.${domain}".acmeFallbackHost = "localhost:8081";


     

       
30

       
33

       
 

       
        };


     

       
31

       
34

       
 

       
      };


     

       
32

       
35

       
 

       
    }


     

       
33

       
36

       
 

       
  );


     

       
34

       
37

       
 

       
  httpd = runTest (


     

       
35

       
38

       
 

       
    import ./webserver.nix {


     

       

       
39

       
+

       
      inherit domain;


     

       
36

       
40

       
 

       
      serverName = "httpd";


     

       
37

       
41

       
 

       
      group = "wwwrun";


     

       
38

       
42

       
 

       
      baseModule = {


     
···

       
44

       
48

       
 

       
            useACMEHost = "proxied.example.test";


     

       
45

       
49

       
 

       
            locations."/.well-known/acme-challenge" = {


     

       
46

       
50

       
 

       
              proxyPass = "http://localhost:8080/.well-known/acme-challenge";


     

       

       
51

       
+

       
              extraConfig = ''


     

       

       
52

       
+

       
                ProxyPreserveHost On


     

       

       
53

       
+

       
              '';


     

       

       
54

       
+

       
            };


     

       

       
55

       
+

       
          };


     

       

       
56

       
+

       
        };


     

       

       
57

       
+

       
        specialisation.nullroot.configuration = {


     

       

       
58

       
+

       
          services.httpd.virtualHosts."nullroot.${domain}" = {


     

       

       
59

       
+

       
            locations."/.well-known/acme-challenge" = {


     

       

       
60

       
+

       
              proxyPass = "http://localhost:8081/.well-known/acme-challenge";


     

       
47

       
61

       
 

       
              extraConfig = ''


     

       
48

       
62

       
 

       
                ProxyPreserveHost On


     

       
49

       
63

       
 

       
              '';
+68 -7
nixos/tests/acme/http01-builtin.nix 
···

       
37

       
37

       
 

       
          listenHTTP = ":80";


     

       
38

       
38

       
 

       
        };


     

       
39

       
39

       
 

       



     

       

       
40

       
+

       
        systemd.targets."renew-triggered" = {


     

       

       
41

       
+

       
          wantedBy = [ "acme-order-renew-${config.networking.fqdn}.service" ];


     

       

       
42

       
+

       
          after = [ "acme-order-renew-${config.networking.fqdn}.service" ];


     

       

       
43

       
+

       
          unitConfig.RefuseManualStart = true;


     

       

       
44

       
+

       
        };


     

       

       
45

       
+

       



     

       
40

       
46

       
 

       
        specialisation = {


     

       
41

       
47

       
 

       
          renew.configuration = {


     

       
42

       
48

       
 

       
            # Pebble provides 5 year long certs,


     
···

       
177

       
183

       
 

       
          # old_hash will be used in the preservation tests later


     

       
178

       
184

       
 

       
          old_hash = hash


     

       
179

       
185

       
 

       
          builtin.succeed(f"systemctl start acme-{cert}.service")


     

       

       
186

       
+

       
          builtin.succeed(f"systemctl start acme-order-renew-{cert}.service")


     

       

       
187

       
+

       
          builtin.wait_for_unit("renew-triggered.target")


     

       

       
188

       
+

       



     

       
180

       
189

       
 

       
          hash_after = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem")


     

       
181

       
190

       
 

       
          assert hash == hash_after, "Certificate was unexpectedly changed"


     

       
182

       
191

       
 

       



     

       

       
192

       
+

       
          builtin.succeed("systemctl stop renew-triggered.target")


     

       
183

       
193

       
 

       
          switch_to(builtin, "renew")


     

       

       
194

       
+

       
          builtin.wait_for_unit("renew-triggered.target")


     

       

       
195

       
+

       



     

       
184

       
196

       
 

       
          check_issuer(builtin, cert, "pebble")


     

       
185

       
197

       
 

       
          hash_after = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem | tee /dev/stderr")


     

       
186

       
198

       
 

       
          assert hash != hash_after, "Certificate was not renewed"


     

       
187

       
199

       
 

       



     

       

       
200

       
+

       
          check_permissions(builtin, cert, "acme")


     

       

       
201

       
+

       



     

       
188

       
202

       
 

       
      with subtest("Handles email change correctly"):


     

       
189

       
203

       
 

       
          hash = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem")


     

       

       
204

       
+

       



     

       

       
205

       
+

       
          builtin.succeed("systemctl stop renew-triggered.target")


     

       
190

       
206

       
 

       
          switch_to(builtin, "accountchange")


     

       

       
207

       
+

       
          builtin.wait_for_unit("renew-triggered.target")


     

       

       
208

       
+

       



     

       
191

       
209

       
 

       
          check_issuer(builtin, cert, "pebble")


     

       
192

       
210

       
 

       
          # Check that there are now 2 account directories


     

       
193

       
211

       
 

       
          builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")


     
···

       
202

       
220

       
 

       
          # old_hash will be used in the preservation tests later


     

       
203

       
221

       
 

       
          old_hash = hash_after


     

       
204

       
222

       
 

       



     

       

       
223

       
+

       
          check_permissions(builtin, cert, "acme")


     

       

       
224

       
+

       



     

       
205

       
225

       
 

       
      with subtest("Correctly implements OCSP stapling"):


     

       
206

       
226

       
 

       
          check_stapling(builtin, cert, "${caDomain}", fail=True)


     

       

       
227

       
+

       



     

       

       
228

       
+

       
          builtin.succeed("systemctl stop renew-triggered.target")


     

       
207

       
229

       
 

       
          switch_to(builtin, "ocsp_stapling")


     

       

       
230

       
+

       
          builtin.wait_for_unit("renew-triggered.target")


     

       

       
231

       
+

       



     

       
208

       
232

       
 

       
          check_stapling(builtin, cert, "${caDomain}")


     

       

       
233

       
+

       
          check_permissions(builtin, cert, "acme")


     

       
209

       
234

       
 

       



     

       
210

       
235

       
 

       
      with subtest("Handles keyType change correctly"):


     

       
211

       
236

       
 

       
          check_key_bits(builtin, cert, 256)


     

       

       
237

       
+

       



     

       

       
238

       
+

       
          builtin.succeed("systemctl stop renew-triggered.target")


     

       
212

       
239

       
 

       
          switch_to(builtin, "keytype")


     

       

       
240

       
+

       
          builtin.wait_for_unit("renew-triggered.target")


     

       

       
241

       
+

       



     

       
213

       
242

       
 

       
          check_key_bits(builtin, cert, 384)


     

       
214

       
243

       
 

       
          # keyType is part of the accountHash, thus a new account will be created


     

       
215

       
244

       
 

       
          builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")


     

       

       
245

       
+

       
          check_permissions(builtin, cert, "acme")


     

       
216

       
246

       
 

       



     

       
217

       
247

       
 

       
      with subtest("Reuses generated, valid certs from previous configurations"):


     

       
218

       
248

       
 

       
          # Right now, the hash should not match due to the previous test


     

       
219

       
249

       
 

       
          hash = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem | tee /dev/stderr")


     

       
220

       
250

       
 

       
          assert hash != old_hash, "Expected certificate to differ"


     

       

       
251

       
+

       



     

       

       
252

       
+

       
          builtin.succeed("systemctl stop renew-triggered.target")


     

       
221

       
253

       
 

       
          switch_to(builtin, "preservation")


     

       

       
254

       
+

       
          builtin.wait_for_unit("renew-triggered.target")


     

       

       
255

       
+

       



     

       
222

       
256

       
 

       
          hash = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem | tee /dev/stderr")


     

       
223

       
257

       
 

       
          assert hash == old_hash, "Expected certificate to match from older configuration"


     

       

       
258

       
+

       
          check_permissions(builtin, cert, "acme")


     

       
224

       
259

       
 

       



     

       
225

       
260

       
 

       
      with subtest("Add a new cert, extend existing cert domains"):


     

       
226

       
261

       
 

       
          check_domain(builtin, cert, f"builtin-alt.{domain}", fail=True)


     

       

       
262

       
+

       



     

       

       
263

       
+

       
          builtin.succeed("systemctl stop renew-triggered.target")


     

       
227

       
264

       
 

       
          switch_to(builtin, "add_cert_and_domain")


     

       

       
265

       
+

       
          builtin.wait_for_unit("renew-triggered.target")


     

       

       
266

       
+

       



     

       
228

       
267

       
 

       
          check_issuer(builtin, cert, "pebble")


     

       
229

       
268

       
 

       
          check_domain(builtin, cert, f"builtin-alt.{domain}")


     

       
230

       
269

       
 

       
          check_issuer(builtin, cert2, "pebble")


     

       
231

       
270

       
 

       
          check_domain(builtin, cert2, cert2)


     

       
232

       
271

       
 

       
          # There should not be a new account folder created


     

       
233

       
272

       
 

       
          builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")


     

       

       
273

       
+

       
          check_permissions(builtin, cert, "acme")


     

       

       
274

       
+

       
          check_permissions(builtin, cert2, "acme")


     

       
234

       
275

       
 

       



     

       
235

       
276

       
 

       
      with subtest("Check account hashing compatibility with pre-24.05 settings"):


     

       
236

       

       
-

       
          switch_to(builtin, "legacy_account_hash", fail=True)


     

       

       
277

       
+

       
          builtin.succeed("systemctl stop renew-triggered.target")


     

       

       
278

       
+

       
          switch_to(builtin, "legacy_account_hash"


     

       

       
279

       
+

       
          )


     

       

       
280

       
+

       
          builtin.wait_for_unit("renew-triggered.target")


     

       

       
281

       
+

       



     

       
237

       
282

       
 

       
          builtin.succeed(f"stat {legacy_account_dir} > /dev/stderr && rm -rf {legacy_account_dir}")


     

       

       
283

       
+

       
          check_permissions(builtin, cert, "acme")


     

       
238

       
284

       
 

       



     

       
239

       

       
-

       
      with subtest("Ensure Concurrency limits work"):


     

       

       
285

       
+

       
      with subtest("Ensure concurrency limits work"):


     

       

       
286

       
+

       
          builtin.succeed("systemctl stop renew-triggered.target")


     

       
240

       
287

       
 

       
          switch_to(builtin, "concurrency")


     

       

       
288

       
+

       
          builtin.wait_for_unit("renew-triggered.target")


     

       

       
289

       
+

       



     

       
241

       
290

       
 

       
          check_issuer(builtin, cert3, "pebble")


     

       
242

       
291

       
 

       
          check_domain(builtin, cert3, cert3)


     

       

       
292

       
+

       
          check_permissions(builtin, cert, "acme")


     

       

       
293

       
+

       



     

       

       
294

       
+

       
      with subtest("Can renew using a CSR"):


     

       

       
295

       
+

       
          builtin.succeed(f"systemctl stop acme-{cert}.service")


     

       

       
296

       
+

       
          builtin.succeed(f"systemctl clean acme-{cert}.service --what=state")


     

       

       
297

       
+

       



     

       

       
298

       
+

       
          builtin.succeed("systemctl stop renew-triggered.target")


     

       

       
299

       
+

       
          switch_to(builtin, "csr")


     

       

       
300

       
+

       
          builtin.wait_for_unit("renew-triggered.target")


     

       

       
301

       
+

       



     

       

       
302

       
+

       
          check_issuer(builtin, cert, "pebble")


     

       
243

       
303

       
 

       



     

       
244

       
304

       
 

       
      with subtest("Generate self-signed certs"):


     

       

       
305

       
+

       
          acme.shutdown()


     

       

       
306

       
+

       



     

       
245

       
307

       
 

       
          check_issuer(builtin, cert, "pebble")


     

       

       
308

       
+

       



     

       

       
309

       
+

       
          builtin.succeed(f"systemctl stop acme-{cert}.service")


     

       
246

       
310

       
 

       
          builtin.succeed(f"systemctl clean acme-{cert}.service --what=state")


     

       
247

       

       
-

       
          builtin.succeed(f"systemctl start acme-selfsigned-{cert}.service")


     

       

       
311

       
+

       
          builtin.succeed(f"systemctl start acme-{cert}.service")


     

       

       
312

       
+

       



     

       
248

       
313

       
 

       
          check_issuer(builtin, cert, "minica")


     

       
249

       
314

       
 

       
          check_domain(builtin, cert, cert)


     

       
250

       
315

       
 

       



     

       
251

       
316

       
 

       
      with subtest("Validate permissions (self-signed)"):


     

       
252

       
317

       
 

       
          check_permissions(builtin, cert, "acme")


     

       
253

       
318

       
 

       



     

       
254

       

       
-

       
      with subtest("Can renew using a CSR"):


     

       
255

       

       
-

       
          builtin.succeed(f"systemctl clean acme-{cert}.service --what=state")


     

       
256

       

       
-

       
          switch_to(builtin, "csr")


     

       
257

       

       
-

       
          check_issuer(builtin, cert, "pebble")


     

       
258

       
319

       
 

       
    '';


     

       
259

       
320

       
 

       
}
+33 -32
nixos/tests/acme/python-utils.py 
···

       
3

       
3

       
 

       



     

       
4

       
4

       
 

       
TOTAL_RETRIES = 20


     

       
5

       
5

       
 

       



     

       

       
6

       
+

       
# BackoffTracker provides a robust system for handling test retries


     

       

       
7

       
+

       
class BackoffTracker:


     

       

       
8

       
+

       
    delay = 1


     

       

       
9

       
+

       
    increment = 1


     

       

       
10

       
+

       



     

       

       
11

       
+

       
    def handle_fail(self, retries, message) -> int:


     

       

       
12

       
+

       
        assert retries < TOTAL_RETRIES, message


     

       

       
13

       
+

       



     

       

       
14

       
+

       
        print(f"Retrying in {self.delay}s, {retries + 1}/{TOTAL_RETRIES}")


     

       

       
15

       
+

       
        time.sleep(self.delay)


     

       

       
16

       
+

       



     

       

       
17

       
+

       
        # Only increment after the first try


     

       

       
18

       
+

       
        if retries == 0:


     

       

       
19

       
+

       
            self.delay += self.increment


     

       

       
20

       
+

       
            self.increment *= 2


     

       

       
21

       
+

       



     

       

       
22

       
+

       
        return retries + 1


     

       

       
23

       
+

       



     

       

       
24

       
+

       
    def protect(self, func):


     

       

       
25

       
+

       
        def wrapper(*args, retries: int = 0, **kwargs):


     

       

       
26

       
+

       
            try:


     

       

       
27

       
+

       
                return func(*args, **kwargs)


     

       

       
28

       
+

       
            except Exception as err:


     

       

       
29

       
+

       
                retries = self.handle_fail(retries, err.args)


     

       

       
30

       
+

       
                return wrapper(*args, retries=retries, **kwargs)


     

       

       
31

       
+

       



     

       

       
32

       
+

       
        return wrapper


     

       

       
33

       
+

       



     

       

       
34

       
+

       



     

       

       
35

       
+

       
backoff = BackoffTracker()


     

       
6

       
36

       
 

       



     

       
7

       
37

       
 

       
def run(node, cmd, fail=False):


     

       
8

       
38

       
 

       
    if fail:


     
···

       
39

       
69

       
 

       
# and matches the issuer we expect it to be.


     

       
40

       
70

       
 

       
# It's a good validation to ensure the cert.pem and fullchain.pem


     

       
41

       
71

       
 

       
# are not still selfsigned after verification


     

       

       
72

       
+

       
@backoff.protect


     

       
42

       
73

       
 

       
def check_issuer(node, cert_name, issuer) -> None:


     

       
43

       
74

       
 

       
    for fname in ("cert.pem", "fullchain.pem"):


     

       
44

       
75

       
 

       
        actual_issuer = node.succeed(


     
···

       
102

       
133

       
 

       
        f"test $({stat} /var/lib/acme/{cert_name}/*.pem"


     

       
103

       
134

       
 

       
        f" | tee /dev/stderr | grep -v '640 acme {group}' | wc -l) -eq 0"


     

       
104

       
135

       
 

       
    )


     

       

       
136

       
+

       
    node.execute(f"ls -lahR /var/lib/acme/.lego/{cert_name}/* > /dev/stderr")


     

       
105

       
137

       
 

       
    node.succeed(


     

       
106

       
138

       
 

       
        f"test $({stat} /var/lib/acme/.lego/{cert_name}/*/{cert_name}*"


     

       
107

       

       
-

       
        f" | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"


     

       

       
139

       
+

       
        f" | tee /dev/stderr | grep -v '640 acme {group}' | wc -l) -eq 0"


     

       
108

       
140

       
 

       
    )


     

       
109

       
141

       
 

       
    node.succeed(


     

       
110

       
142

       
 

       
        f"test $({stat} /var/lib/acme/{cert_name}"


     
···

       
114

       
146

       
 

       
        f"test $(find /var/lib/acme/.lego/accounts -type f -exec {stat} {{}} \\;"


     

       
115

       
147

       
 

       
        f" | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"


     

       
116

       
148

       
 

       
    )


     

       
117

       

       
-

       



     

       
118

       

       
-

       
# BackoffTracker provides a robust system for handling test retries


     

       
119

       

       
-

       
class BackoffTracker:


     

       
120

       

       
-

       
    delay = 1


     

       
121

       

       
-

       
    increment = 1


     

       
122

       

       
-

       



     

       
123

       

       
-

       
    def handle_fail(self, retries, message) -> int:


     

       
124

       

       
-

       
        assert retries < TOTAL_RETRIES, message


     

       
125

       

       
-

       



     

       
126

       

       
-

       
        print(f"Retrying in {self.delay}s, {retries + 1}/{TOTAL_RETRIES}")


     

       
127

       

       
-

       
        time.sleep(self.delay)


     

       
128

       

       
-

       



     

       
129

       

       
-

       
        # Only increment after the first try


     

       
130

       

       
-

       
        if retries == 0:


     

       
131

       

       
-

       
            self.delay += self.increment


     

       
132

       

       
-

       
            self.increment *= 2


     

       
133

       

       
-

       



     

       
134

       

       
-

       
        return retries + 1


     

       
135

       

       
-

       



     

       
136

       

       
-

       
    def protect(self, func):


     

       
137

       

       
-

       
        def wrapper(*args, retries: int = 0, **kwargs):


     

       
138

       

       
-

       
            try:


     

       
139

       

       
-

       
                return func(*args, **kwargs)


     

       
140

       

       
-

       
            except Exception as err:


     

       
141

       

       
-

       
                retries = self.handle_fail(retries, err.args)


     

       
142

       

       
-

       
                return wrapper(*args, retries=retries, **kwargs)


     

       
143

       

       
-

       



     

       
144

       

       
-

       
        return wrapper


     

       
145

       

       
-

       



     

       
146

       

       
-

       



     

       
147

       

       
-

       
backoff = BackoffTracker()


     

       
148

       
149

       
 

       



     

       
149

       
150

       
 

       



     

       
150

       
151

       
 

       
@backoff.protect
+67 -22
nixos/tests/acme/webserver.nix 
···

       
2

       
2

       
 

       
  serverName,


     

       
3

       
3

       
 

       
  group,


     

       
4

       
4

       
 

       
  baseModule,


     

       
5

       

       
-

       
  domain ? "example.test",


     

       

       
5

       
+

       
  domain,


     

       
6

       
6

       
 

       
}:


     

       
7

       
7

       
 

       
{


     

       
8

       
8

       
 

       
  config,


     
···

       
18

       
18

       
 

       
    timeout = 300;


     

       
19

       
19

       
 

       
  };


     

       
20

       
20

       
 

       



     

       

       
21

       
+

       
  interactive.sshBackdoor.enable = true;


     

       

       
22

       
+

       



     

       
21

       
23

       
 

       
  nodes = {


     

       
22

       
24

       
 

       
    # The fake ACME server which will respond to client requests


     

       
23

       
25

       
 

       
    acme =


     
···

       
45

       
47

       
 

       
          "certchange.${domain}"


     

       
46

       
48

       
 

       
          "zeroconf.${domain}"


     

       
47

       
49

       
 

       
          "zeroconf2.${domain}"


     

       

       
50

       
+

       
          "zeroconf3.${domain}"


     

       
48

       
51

       
 

       
          "nullroot.${domain}"


     

       
49

       
52

       
 

       
        ];


     

       
50

       
53

       
 

       



     
···

       
57

       
60

       
 

       
        systemd.targets."renew-triggered" = {


     

       
58

       
61

       
 

       
          wantedBy = [ "${serverName}-config-reload.service" ];


     

       
59

       
62

       
 

       
          after = [ "${serverName}-config-reload.service" ];


     

       

       
63

       
+

       
          unitConfig.RefuseManualStart = true;


     

       
60

       
64

       
 

       
        };


     

       
61

       
65

       
 

       



     

       
62

       
66

       
 

       
        security.acme.certs."proxied.${domain}" = {


     
···

       
101

       
105

       
 

       
          # Test that "acmeRoot = null" still results in


     

       
102

       
106

       
 

       
          # valid cert generation by inheriting defaults.


     

       
103

       
107

       
 

       
          nullroot.configuration = {


     

       
104

       

       
-

       
            security.acme.defaults.listenHTTP = ":8080";


     

       

       
108

       
+

       
            # The default.nix has the server-type dependent config statements


     

       

       
109

       
+

       
            # to properly set up the proxying. We need a separate port here to


     

       

       
110

       
+

       
            # avoid hostname issues with the proxy already running on :8080


     

       

       
111

       
+

       
            security.acme.defaults.listenHTTP = ":8081";


     

       
105

       
112

       
 

       
            services.${serverName}.virtualHosts."nullroot.${domain}" = {


     

       
106

       

       
-

       
              onlySSL = true;


     

       

       
113

       
+

       
              addSSL = true;


     

       
107

       
114

       
 

       
              enableACME = true;


     

       
108

       
115

       
 

       
              acmeRoot = null;


     

       
109

       
116

       
 

       
            };


     

       
110

       
117

       
 

       
          };


     

       

       
118

       
+

       



     

       

       
119

       
+

       
          # Test that a adding a second virtual host will not trigger


     

       

       
120

       
+

       
          # other units (account and renewal service for first)


     

       

       
121

       
+

       
          zeroconf3.configuration = {


     

       

       
122

       
+

       
            services.${serverName}.virtualHosts = {


     

       

       
123

       
+

       
              "zeroconf.${domain}" = {


     

       

       
124

       
+

       
                addSSL = true;


     

       

       
125

       
+

       
                enableACME = true;


     

       

       
126

       
+

       
                serverAliases = [ "zeroconf2.${domain}" ];


     

       

       
127

       
+

       
              };


     

       

       
128

       
+

       
              "zeroconf3.${domain}" = {


     

       

       
129

       
+

       
                addSSL = true;


     

       

       
130

       
+

       
                enableACME = true;


     

       

       
131

       
+

       
              };


     

       

       
132

       
+

       
            };


     

       

       
133

       
+

       
            # We're doing something risky with the combination of the service unit being persistent


     

       

       
134

       
+

       
            # that could end up that the timers do not trigger properly. Show that timers have the


     

       

       
135

       
+

       
            # desired effect.


     

       

       
136

       
+

       
            systemd.timers."acme-renew-zeroconf3.${domain}".timerConfig = {


     

       

       
137

       
+

       
              OnCalendar = lib.mkForce "*-*-* *:*:0/5";


     

       

       
138

       
+

       
              AccuracySec = lib.mkForce 0;


     

       

       
139

       
+

       
              # Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.


     

       

       
140

       
+

       
              RandomizedDelaySec = lib.mkForce 0;


     

       

       
141

       
+

       
              FixedRandomDelay = lib.mkForce 0;


     

       

       
142

       
+

       
            };


     

       

       
143

       
+

       
          };


     

       
111

       
144

       
 

       
        };


     

       
112

       
145

       
 

       
      };


     

       
113

       
146

       
 

       
  };


     
···

       
121

       
154

       
 

       
      ca_domain = "${nodes.acme.test-support.acme.caDomain}"


     

       
122

       
155

       
 

       
      fqdn = f"proxied.{domain}"


     

       
123

       
156

       
 

       



     

       

       
157

       
+

       
      webserver.start()


     

       

       
158

       
+

       
      webserver.wait_for_unit("${serverName}.service")


     

       

       
159

       
+

       



     

       

       
160

       
+

       
      with subtest("Can run on self-signed certificates"):


     

       

       
161

       
+

       
          check_issuer(webserver, fqdn, "minica")


     

       

       
162

       
+

       
          # Check that the web server has picked up the selfsigned cert


     

       

       
163

       
+

       
          check_connection(webserver, fqdn, minica=True)


     

       

       
164

       
+

       



     

       
124

       
165

       
 

       
      acme.start()


     

       
125

       
166

       
 

       
      wait_for_running(acme)


     

       
126

       
167

       
 

       
      acme.wait_for_open_port(443)


     

       
127

       
168

       
 

       



     

       
128

       
169

       
 

       
      with subtest("Acquire a cert through a proxied lego"):


     

       
129

       

       
-

       
          webserver.start()


     

       
130

       

       
-

       
          webserver.succeed("systemctl is-system-running --wait")


     

       
131

       

       
-

       
          wait_for_running(webserver)


     

       
132

       

       
-

       
          download_ca_certs(webserver, ca_domain)


     

       
133

       

       
-

       
          check_connection(webserver, fqdn)


     

       
134

       

       
-

       



     

       
135

       

       
-

       
      with subtest("Can run on selfsigned certificates"):


     

       
136

       

       
-

       
          # Switch to selfsigned first


     

       
137

       

       
-

       
          webserver.succeed(f"systemctl clean acme-{fqdn}.service --what=state")


     

       
138

       

       
-

       
          webserver.succeed(f"systemctl start acme-selfsigned-{fqdn}.service")


     

       
139

       

       
-

       
          check_issuer(webserver, fqdn, "minica")


     

       
140

       

       
-

       
          webserver.succeed("systemctl restart ${serverName}-config-reload.service")


     

       
141

       

       
-

       
          # Check that the web server has picked up the selfsigned cert


     

       
142

       

       
-

       
          check_connection(webserver, fqdn, minica=True)


     

       
143

       

       
-

       
          webserver.succeed("systemctl stop renew-triggered.target")


     

       
144

       

       
-

       
          webserver.succeed(f"systemctl start acme-{fqdn}.service")


     

       
145

       

       
-

       
          webserver.wait_for_unit("renew-triggered.target")


     

       
146

       

       
-

       
          check_issuer(webserver, fqdn, "pebble")


     

       
147

       

       
-

       
          check_connection(webserver, fqdn)


     

       

       
170

       
+

       
        webserver.succeed(f"systemctl start acme-order-renew-{fqdn}.service")


     

       

       
171

       
+

       
        webserver.wait_for_unit("renew-triggered.target")


     

       

       
172

       
+

       
        download_ca_certs(webserver, ca_domain)


     

       

       
173

       
+

       
        check_issuer(webserver, fqdn, "pebble")


     

       

       
174

       
+

       
        check_connection(webserver, fqdn)


     

       
148

       
175

       
 

       



     

       
149

       
176

       
 

       
      with subtest("security.acme changes reflect on web server part 1"):


     

       
150

       
177

       
 

       
          check_connection(webserver, f"certchange.{domain}", fail=True)


     
···

       
181

       
208

       
 

       
          switch_to(webserver, "nullroot")


     

       
182

       
209

       
 

       
          webserver.wait_for_unit("renew-triggered.target")


     

       
183

       
210

       
 

       
          check_connection(webserver, f"nullroot.{domain}")


     

       

       
211

       
+

       



     

       

       
212

       
+

       
      with subtest("Ensure that adding a second vhost does not trigger first vhost acme units"):


     

       

       
213

       
+

       
          switch_to(webserver, "zeroconf")


     

       

       
214

       
+

       
          webserver.wait_for_unit("renew-triggered.target")


     

       

       
215

       
+

       
          webserver.succeed("journalctl --cursor-file=/tmp/cursor | grep acme")


     

       

       
216

       
+

       
          switch_to(webserver, "zeroconf3")


     

       

       
217

       
+

       
          webserver.wait_for_unit("renew-triggered.target")


     

       

       
218

       
+

       
          output = webserver.succeed("journalctl --cursor-file=/tmp/cursor | grep acme")


     

       

       
219

       
+

       
          # The new certificate unit gets triggered:


     

       

       
220

       
+

       
          t.assertIn(f"acme-zeroconf3.{domain}-start", output)


     

       

       
221

       
+

       
          # The account generation should not be triggered again:


     

       

       
222

       
+

       
          t.assertNotIn("acme-account-d590213ed52603e9128d.target", output)


     

       

       
223

       
+

       
          # The other certificates should also not be triggered:


     

       

       
224

       
+

       
          t.assertNotIn(f"acme-zeroconf.{domain}-start", output)


     

       

       
225

       
+

       
          t.assertNotIn(f"acme-proxied.{domain}-start", output)


     

       

       
226

       
+

       
          # Ensure the timer works, due to our shenanigans with


     

       

       
227

       
+

       
          # RemainAfterExit=true


     

       

       
228

       
+

       
          webserver.wait_until_succeeds(f"journalctl --cursor-file=/tmp/cursor | grep 'Starting Order (and renew) ACME certificate for zeroconf3.{domain}...'")


     

       
184

       
229

       
 

       
    '';


     

       
185

       
230

       
 

       
}
+5 -4
nixos/tests/step-ca.nix 
···

       
137

       
137

       
 

       
        caserver.wait_for_unit("step-ca.service")


     

       
138

       
138

       
 

       
        caserver.wait_until_succeeds("journalctl -o cat -u step-ca.service | grep '${pkgs.step-ca.version}'")


     

       
139

       
139

       
 

       



     

       
140

       

       
-

       
        caclient.wait_for_unit("acme-finished-caclient.target")


     

       
141

       

       
-

       
        catester.succeed("curl https://caclient/ | grep \"Welcome to nginx!\"")


     

       

       
140

       
+

       
        caclient.wait_for_unit("acme-caclient.service")


     

       

       
141

       
+

       
        # The order is run asynchonously, keep trying.


     

       

       
142

       
+

       
        catester.wait_until_succeeds("curl https://caclient/ | grep \"Welcome to nginx!\"")


     

       
142

       
143

       
 

       



     

       
143

       
144

       
 

       
        caclientcaddy.wait_for_unit("caddy.service")


     

       
144

       
145

       
 

       
        # It’s hard to know when Caddy has finished the ACME dance with


     

       
145

       
146

       
 

       
        # step-ca, so we keep trying cURL until success.


     

       
146

       
147

       
 

       
        catester.wait_until_succeeds("curl https://caclientcaddy/ | grep \"Welcome to Caddy!\"")


     

       
147

       
148

       
 

       



     

       
148

       

       
-

       
        caclienth2o.wait_for_unit("acme-finished-caclienth2o.target")


     

       

       
149

       
+

       
        caclienth2o.wait_for_unit("acme-caclienth2o.service")


     

       
149

       
150

       
 

       
        caclienth2o.wait_for_unit("h2o.service")


     

       
150

       

       
-

       
        catester.succeed("curl https://caclienth2o/ | grep \"Welcome to H2O!\"")


     

       

       
151

       
+

       
        catester.wait_until_succeeds("curl https://caclienth2o/ | grep \"Welcome to H2O!\"")


     

       
151

       
152

       
 

       
      '';


     

       
152

       
153

       
 

       
  }


     

       
153

       
154

       
 

       
)