···

       
318
       
 
       


     

       
319
       
 
       
  # Now you must augment OpenSMTPD's systemd service to load

     

       
320
       
 
       
  # the certificate files.

     

       
321
       
-
       
  systemd.services.opensmtpd.requires = [ "acme-finished-mail.example.com.target" ];

     

       
322
       
 
       
  systemd.services.opensmtpd.serviceConfig.LoadCredential =

     

       
323
       
 
       
    let

     

       
324
       
 
       
      certDir = config.security.acme.certs."mail.example.com".directory;

     

···

       
318
       
 
       


     

       
319
       
 
       
  # Now you must augment OpenSMTPD's systemd service to load

     

       
320
       
 
       
  # the certificate files.

     

       
321
       
+
       
  systemd.services.opensmtpd.requires = [ "acme-mail.example.com.service" ];

     

       
322
       
 
       
  systemd.services.opensmtpd.serviceConfig.LoadCredential =

     

       
323
       
 
       
    let

     

       
324
       
 
       
      certDir = config.security.acme.certs."mail.example.com".directory;

     

···

       
160
       
 
       
  );

     

       
161
       
 
       


     

       
162
       
 
       
  # This is defined with lib.mkMerge so that we can separate the config per function.

     

       
163
       
-
       
  setupService = lib.mkMerge [

     

       
164
       
-
       
    {

     

       
165
       
-
       
      description = "Set up the ACME certificate renewal infrastructure";

     

       
166
       
-
       
      script = lib.mkBefore ''

     

       
167
       
-
       
        ${lib.optionalString cfg.defaults.enableDebugLogs "set -x"}

     

       
168
       
-
       
        set -euo pipefail

     

       
169
       
-
       
      '';

     

       
170
       
-
       
      serviceConfig = commonServiceConfig // {

     

       
171
       
-
       
        # This script runs with elevated privileges, denoted by the +

     

       
172
       
-
       
        # ExecStartPre is used instead of ExecStart so that the `script` continues to work.

     

       
173
       
-
       
        ExecStartPre = "+${lib.getExe privilegedSetupScript}";

     

       
174
       
 
       


     

       
175
       
-
       
        # We don't want this to run every time a renewal happens

     

       
176
       
-
       
        RemainAfterExit = true;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
177
       
 
       


     

       
178
       
-
       
        # StateDirectory entries are a cleaner, service-level mechanism

     

       
179
       
-
       
        # for dealing with persistent service data

     

       
180
       
-
       
        StateDirectory = [

     

       
181
       
-
       
          "acme"

     

       
182
       
-
       
          "acme/.lego"

     

       
183
       
-
       
          "acme/.lego/accounts"

     

       
184
       
-
       
        ];

     

       
185
       
-
       
        StateDirectoryMode = "0755";

     

       
186
       
 
       


     

       
187
       
-
       
        # Creates ${lockdir}. Earlier RemainAfterExit=true means

     

       
188
       
-
       
        # it does not get deleted immediately.

     

       
189
       
-
       
        RuntimeDirectory = "acme";

     

       
190
       
-
       
        RuntimeDirectoryMode = "0700";

     

       
191
       
 
       


     

       
192
       
-
       
        # Generally, we don't write anything that should be group accessible.

     

       
193
       
-
       
        # Group varies for most ACME units, and setup files are only used

     

       
194
       
-
       
        # under the acme user.

     

       
195
       
-
       
        UMask = "0077";

     

       
196
       
-
       
      };

     

       
197
       
-
       
    }

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
198
       
 
       


     

       
199
       
-
       
    # Avoid race conditions creating the CA for selfsigned certs

     

       
200
       
-
       
    (lib.mkIf cfg.preliminarySelfsigned {

     

       
201
       
-
       
      path = [ pkgs.minica ];

     

       
202
       
-
       
      # Working directory will be /tmp

     

       
203
       
-
       
      script = ''

     

       
204
       
-
       
        test -e ca/key.pem || minica \

     

       
205
       
-
       
          --ca-key ca/key.pem \

     

       
206
       
-
       
          --ca-cert ca/cert.pem \

     

       
207
       
-
       
          --domains selfsigned.local

     

       
208
       
-
       
      '';

     

       
209
       
-
       
      serviceConfig = {

     

       
210
       
-
       
        StateDirectory = [ "acme/.minica" ];

     

       
211
       
-
       
        BindPaths = "/var/lib/acme/.minica:/tmp/ca";

     

       
212
       
-
       
      };

     

       
213
       
-
       
    })

     

       
214
       
-
       
  ];

     

       
215
       
 
       


     

       
216
       
 
       
  certToConfig =

     

       
217
       
 
       
    cert: data:

     
···

       
219
       
 
       
      acmeServer = data.server;

     

       
220
       
 
       
      useDns = data.dnsProvider != null;

     

       
221
       
 
       
      destPath = "/var/lib/acme/${cert}";

     

       
222
       
-
       
      selfsignedDeps = lib.optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];

     

       
223
       
 
       


     

       
224
       
 
       
      # Minica and lego have a "feature" which replaces * with _. We need

     

       
225
       
 
       
      # to make this substitution to reference the output files from both programs.

     
···

       
339
       
 
       
      certificateKey = if data.csrKey != null then "${data.csrKey}" else "certificates/${keyName}.key";

     

       
340
       
 
       
    in

     

       
341
       
 
       
    {

     

       
342
       
-
       
      inherit accountHash cert selfsignedDeps;

     

       
343
       
 
       


     

       
344
       
 
       
      group = data.group;

     

       
345
       
 
       


     

       
346
       
 
       
      renewTimer = {

     

       
347
       
 
       
        description = "Renew ACME Certificate for ${cert}";

     

       
348
       
 
       
        wantedBy = [ "timers.target" ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
349
       
 
       
        timerConfig = {

     

       
350
       
 
       
          OnCalendar = data.renewInterval;

     

       
351
       
-
       
          Unit = "acme-${cert}.service";

     

       
352
       
 
       
          Persistent = "yes";

     

       
353
       
 
       


     

       
354
       
 
       
          # Allow systemd to pick a convenient time within the day

     
···

       
364
       
 
       
        };

     

       
365
       
 
       
      };

     

       
366
       
 
       


     

       
367
       
-
       
      selfsignService = lockfileName: {

     

       
368
       
-
       
        description = "Generate self-signed certificate for ${cert}";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
369
       
 
       
        after = [ "acme-setup.service" ];

     

       
370
       
-
       
        requires = [ "acme-setup.service" ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
371
       
 
       


     

       
372
       
 
       
        path = [ pkgs.minica ];

     

       
373
       
 
       


     

       
374
       
 
       
        unitConfig = {

     

       
375
       
-
       
          ConditionPathExists = "!/var/lib/acme/${cert}/key.pem";

     

       
376
       
 
       
          StartLimitIntervalSec = 0;

     

       
377
       
 
       
        };

     

       
378
       
 
       


     
···

       
380
       
 
       
          Group = data.group;

     

       
381
       
 
       
          UMask = "0027";

     

       
382
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
383
       
 
       
          StateDirectory = "acme/${cert}";

     

       
384
       
 
       


     

       
385
       
 
       
          BindPaths = [

     

       
386
       
 
       
            "/var/lib/acme/.minica:/tmp/ca"

     

       
387
       
-
       
            "/var/lib/acme/${cert}:/tmp/${keyName}"

     

       
388
       
 
       
          ];

     

       
389
       
 
       
        };

     

       
390
       
 
       


     
···

       
392
       
 
       
        # minica will output to a folder sharing the name of the first domain

     

       
393
       
 
       
        # in the list, which will be ${data.domain}

     

       
394
       
 
       
        script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") ''

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
395
       
 
       
          minica \

     

       
396
       
 
       
            --ca-key ca/key.pem \

     

       
397
       
 
       
            --ca-cert ca/cert.pem \

     

       
398
       
 
       
            --domains ${lib.escapeShellArg (builtins.concatStringsSep "," ([ data.domain ] ++ extraDomains))}

     

       
399
       
 
       


     

       
400
       
 
       
          # Create files to match directory layout for real certificates

     

       
401
       
-
       
          cd '${keyName}'

     

       
402
       
-
       
          cp ../ca/cert.pem chain.pem

     

       
403
       
-
       
          cat cert.pem chain.pem > fullchain.pem

     

       
404
       
-
       
          cat key.pem fullchain.pem > full.pem

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
405
       
 
       


     

       
406
       
-
       
          # Group might change between runs, re-apply it

     

       
407
       
-
       
          chown '${user}:${data.group}' -- *

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
408
       
 
       


     

       
409
       
-
       
          # Default permissions make the files unreadable by group + anon

     

       
410
       
-
       
          # Need to be readable by group

     

       
411
       
-
       
          chmod 640 -- *

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
412
       
 
       
        '';

     

       
413
       
 
       
      };

     

       
414
       
 
       


     

       
415
       
-
       
      renewService = lockfileName: {

     

       
416
       
-
       
        description = "Renew ACME certificate for ${cert}";

     

       
417
       
 
       
        after = [

     

       
418
       
 
       
          "network.target"

     

       
419
       
 
       
          "network-online.target"

     

       
420
       
 
       
          "acme-setup.service"

     

       
421
       
 
       
          "nss-lookup.target"

     

       
422
       
-
       
        ]

     

       
423
       
-
       
        ++ selfsignedDeps;

     

       
424
       
-
       
        wants = [ "network-online.target" ] ++ selfsignedDeps;

     

       
425
       
-
       
        requires = [ "acme-setup.service" ];

     

       
426
       
-
       


     

       
427
       
-
       
        # https://github.com/NixOS/nixpkgs/pull/81371#issuecomment-605526099

     

       
428
       
-
       
        wantedBy = lib.optionals (!config.boot.isContainer) [ "multi-user.target" ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
429
       
 
       


     

       
430
       
 
       
        path = with pkgs; [

     

       
431
       
 
       
          lego

     
···

       
523
       
 
       
            [[ $expiration_days -gt ${toString data.validMinDays} ]]

     

       
524
       
 
       
          }

     

       
525
       
 
       


     

       
526
       
-
       
          ${lib.optionalString (data.webroot != null) ''

     

       
527
       
-
       
            # Ensure the webroot exists. Fixing group is required in case configuration was changed between runs.

     

       
528
       
-
       
            # Lego will fail if the webroot does not exist at all.

     

       
529
       
-
       
            (

     

       
530
       
-
       
              mkdir -p '${data.webroot}/.well-known/acme-challenge' \

     

       
531
       
-
       
              && chgrp '${data.group}' ${data.webroot}/.well-known/acme-challenge

     

       
532
       
-
       
            ) || (

     

       
533
       
-
       
              echo 'Please ensure ${data.webroot}/.well-known/acme-challenge exists and is writable by acme:${data.group}' \

     

       
534
       
-
       
              && exit 1

     

       
535
       
-
       
            )

     

       
536
       
-
       
          ''}

     

       
537
       
-
       


     

       
538
       
 
       
          echo '${domainHash}' > domainhash.txt

     

       
539
       
 
       


     

       
540
       
-
       
          # Check if we can renew.

     

       
541
       
 
       
          # We can only renew if the list of domains has not changed.

     

       
542
       
 
       
          # We also need an account key. Avoids #190493

     

       
543
       
 
       
          if cmp -s domainhash.txt certificates/domainhash.txt && [ -e '${certificateKey}' ] && [ -e 'certificates/${keyName}.crt' ] && [ -n "$(find accounts -name '${data.email}.key')" ]; then

     

       
544
       
-
       


     

       
545
       
 
       
            # Even if a cert is not expired, it may be revoked by the CA.

     

       
546
       
 
       
            # Try to renew, and silently fail if the cert is not expired.

     

       
547
       
 
       
            # Avoids #85794 and resolves #129838

     
···

       
553
       
 
       
                exit 11

     

       
554
       
 
       
              fi

     

       
555
       
 
       
            fi

     

       
556
       
-
       


     

       
557
       
-
       
          # Otherwise do a full run

     

       
558
       
 
       
          elif ! lego ${runOpts}; then

     

       
559
       
 
       
            # Produce a nice error for those doing their first nixos-rebuild with these certs

     

       
560
       
 
       
            echo Failed to fetch certificates. \

     

       
561
       
 
       
              This may mean your DNS records are set up incorrectly. \

     

       
562
       
-
       
              ${lib.optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}

     

       
563
       
 
       
            # Exit 10 so that users can potentially amend SuccessExitStatus to ignore this error.

     

       
564
       
 
       
            # High number to avoid Systemd reserved codes.

     

       
565
       
 
       
            exit 10

     
···

       
567
       
 
       


     

       
568
       
 
       
          mv domainhash.txt certificates/

     

       
569
       
 
       


     

       
570
       
-
       
          # Group might change between runs, re-apply it

     

       
571
       
-
       
          chown '${user}:${data.group}' certificates/*

     

       
572
       
 
       


     

       
573
       
 
       
          # Copy all certs to the "real" certs directory

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
574
       
 
       
          if ! cmp -s 'certificates/${keyName}.crt' out/fullchain.pem; then

     

       
575
       
 
       
            touch out/renewed

     

       
576
       
 
       
            echo Installing new certificate

     
···

       
581
       
 
       
            cat out/key.pem out/fullchain.pem > out/full.pem

     

       
582
       
 
       
          fi

     

       
583
       
 
       


     

       
584
       
-
       
          # By default group will have no access to the cert files.

     

       
585
       
-
       
          # This chmod will fix that.

     

       
586
       
-
       
          chmod 640 out/*

     

       
587
       
-
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
588
       
 
       
          # Also ensure safer permissions on the account directory.

     

       
589
       
 
       
          chmod -R u=rwX,g=,o= accounts/.

     

       
590
       
 
       
        '';

     
···

       
905
       
 
       


     

       
906
       
 
       
  options = {

     

       
907
       
 
       
    security.acme = {

     

       
908
       
-
       
      preliminarySelfsigned = lib.mkOption {

     

       
909
       
-
       
        type = lib.types.bool;

     

       
910
       
-
       
        default = true;

     

       
911
       
-
       
        description = ''

     

       
912
       
-
       
          Whether a preliminary self-signed certificate should be generated before

     

       
913
       
-
       
          doing ACME requests. This can be useful when certificates are required in

     

       
914
       
-
       
          a webserver, but ACME needs the webserver to make its requests.

     

       
915
       
-
       


     

       
916
       
-
       
          With preliminary self-signed certificate the webserver can be started and

     

       
917
       
-
       
          can later reload the correct ACME certificates.

     

       
918
       
-
       
        '';

     

       
919
       
-
       
      };

     

       
920
       
-
       


     

       
921
       
 
       
      acceptTerms = lib.mkOption {

     

       
922
       
 
       
        type = lib.types.bool;

     

       
923
       
 
       
        default = false;

     
···

       
1003
       
 
       
      "ACME Directory is now hardcoded to /var/lib/acme and its permissions are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info."

     

       
1004
       
 
       
    )

     

       
1005
       
 
       
    (lib.mkRemovedOptionModule [ "security" "acme" "preDelay" ]

     

       
1006
       
-
       
      "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal"

     

       
1007
       
 
       
    )

     

       
1008
       
 
       
    (lib.mkRemovedOptionModule [ "security" "acme" "activationDelay" ]

     

       
1009
       
-
       
      "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal"

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
1010
       
 
       
    )

     

       
1011
       
 
       
    (lib.mkChangedOptionModule

     

       
1012
       
 
       
      [ "security" "acme" "validMin" ]

     
···

       
1161
       
 
       


     

       
1162
       
 
       
      systemd.services =

     

       
1163
       
 
       
        let

     

       
1164
       
-
       
          renewServiceFunctions = lib.mapAttrs' (

     

       
1165
       
-
       
            cert: conf: lib.nameValuePair "acme-${cert}" conf.renewService

     

       
1166
       
 
       
          ) certConfigs;

     

       
1167
       
-
       
          renewServices =

     

       
1168
       
 
       
            if cfg.maxConcurrentRenewals > 0 then

     

       
1169
       
-
       
              roundRobinApplyAttrs renewServiceFunctions concurrencyLockfiles

     

       
1170
       
 
       
            else

     

       
1171
       
-
       
              lib.mapAttrs (_: f: f null) renewServiceFunctions;

     

       
1172
       
-
       
          selfsignServiceFunctions = lib.mapAttrs' (

     

       
1173
       
-
       
            cert: conf: lib.nameValuePair "acme-selfsigned-${cert}" conf.selfsignService

     

       
1174
       
 
       
          ) certConfigs;

     

       
1175
       
-
       
          selfsignServices =

     

       
1176
       
 
       
            if cfg.maxConcurrentRenewals > 0 then

     

       
1177
       
-
       
              roundRobinApplyAttrs selfsignServiceFunctions concurrencyLockfiles

     

       
1178
       
 
       
            else

     

       
1179
       
-
       
              lib.mapAttrs (_: f: f null) selfsignServiceFunctions;

     

       
1180
       
 
       
        in

     

       
1181
       
 
       
        {

     

       
1182
       
 
       
          acme-setup = setupService;

     

       
1183
       
 
       
        }

     

       
1184
       
-
       
        // renewServices

     

       
1185
       
-
       
        // lib.optionalAttrs cfg.preliminarySelfsigned selfsignServices;

     

       
1186
       
 
       


     

       
1187
       
 
       
      systemd.timers = lib.mapAttrs' (

     

       
1188
       
-
       
        cert: conf: lib.nameValuePair "acme-${cert}" conf.renewTimer

     

       
1189
       
 
       
      ) certConfigs;

     

       
1190
       
 
       


     

       
1191
       
 
       
      systemd.targets =

     

       
1192
       
 
       
        let

     

       
1193
       
-
       
          # Create some targets which can be depended on to be "active" after cert renewals

     

       
1194
       
-
       
          finishedTargets = lib.mapAttrs' (

     

       
1195
       
-
       
            cert: conf:

     

       
1196
       
-
       
            lib.nameValuePair "acme-finished-${cert}" {

     

       
1197
       
-
       
              wantedBy = [ "default.target" ];

     

       
1198
       
-
       
              requires = [ "acme-${cert}.service" ];

     

       
1199
       
-
       
              after = [ "acme-${cert}.service" ];

     

       
1200
       
-
       
            }

     

       
1201
       
-
       
          ) certConfigs;

     

       
1202
       
-
       


     

       
1203
       
 
       
          # Create targets to limit the number of simultaneous account creations

     

       
1204
       
 
       
          # How it works:

     

       
1205
       
 
       
          # - Pick a "leader" cert service, which will be in charge of creating the account,

     
···

       
1214
       
 
       
            let

     

       
1215
       
 
       
              dnsConfs = builtins.filter (conf: cfg.certs.${conf.cert}.dnsProvider != null) confs;

     

       
1216
       
 
       
              leaderConf = if dnsConfs != [ ] then builtins.head dnsConfs else builtins.head confs;

     

       
1217
       
-
       
              leader = "acme-${leaderConf.cert}.service";

     

       
1218
       
-
       
              followers = map (conf: "acme-${conf.cert}.service") (

     

       
1219
       
 
       
                builtins.filter (conf: conf != leaderConf) confs

     

       
1220
       
 
       
              );

     

       
1221
       
 
       
            in

     
···

       
1224
       
 
       
              before = followers;

     

       
1225
       
 
       
              requires = [ leader ];

     

       
1226
       
 
       
              after = [ leader ];

     

       
0
       
 
       

     

       
1227
       
 
       
            }

     

       
1228
       
 
       
          ) (lib.groupBy (conf: conf.accountHash) (lib.attrValues certConfigs));

     

       
1229
       
 
       
        in

     

       
1230
       
-
       
        finishedTargets // accountTargets;

     

       
1231
       
 
       
    })

     

       
1232
       
 
       
  ];

     

       
1233
       
 
       


     

···

       
160
       
 
       
  );

     

       
161
       
 
       


     

       
162
       
 
       
  # This is defined with lib.mkMerge so that we can separate the config per function.

     

       
163
       
+
       
  setupService = {

     

       
164
       
+
       
    description = "Set up the ACME certificate renewal infrastructure";

     

       
165
       
+
       
    path = [ pkgs.minica ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
166
       
 
       


     

       
167
       
+
       
    script = lib.mkBefore ''

     

       
168
       
+
       
      ${lib.optionalString cfg.defaults.enableDebugLogs "set -x"}

     

       
169
       
+
       
      set -euo pipefail

     

       
170
       
+
       
      test -e ca/key.pem || minica \

     

       
171
       
+
       
        --ca-key ca/key.pem \

     

       
172
       
+
       
        --ca-cert ca/cert.pem \

     

       
173
       
+
       
        --domains selfsigned.local

     

       
174
       
+
       
    '';

     

       
175
       
 
       


     

       
176
       
+
       
    serviceConfig = commonServiceConfig // {

     

       
177
       
+
       
      # This script runs with elevated privileges, denoted by the +

     

       
178
       
+
       
      # ExecStartPre is used instead of ExecStart so that the `script` continues to work.

     

       
179
       
+
       
      ExecStartPre = "+${lib.getExe privilegedSetupScript}";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
180
       
 
       


     

       
181
       
+
       
      # We don't want this to run every time a renewal happens

     

       
182
       
+
       
      RemainAfterExit = true;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
183
       
 
       


     

       
184
       
+
       
      # StateDirectory entries are a cleaner, service-level mechanism

     

       
185
       
+
       
      # for dealing with persistent service data

     

       
186
       
+
       
      StateDirectory = [

     

       
187
       
+
       
        "acme"

     

       
188
       
+
       
        "acme/.lego"

     

       
189
       
+
       
        "acme/.lego/accounts"

     

       
190
       
+
       
        "acme/.minica"

     

       
191
       
+
       
      ];

     

       
192
       
+
       
      BindPaths = "/var/lib/acme/.minica:/tmp/ca";

     

       
193
       
+
       
      StateDirectoryMode = "0755";

     

       
194
       
 
       


     

       
195
       
+
       
      # Creates ${lockdir}. Earlier RemainAfterExit=true means

     

       
196
       
+
       
      # it does not get deleted immediately.

     

       
197
       
+
       
      RuntimeDirectory = "acme";

     

       
198
       
+
       
      RuntimeDirectoryMode = "0700";

     

       
199
       
+
       


     

       
200
       
+
       
      # Generally, we don't write anything that should be group accessible.

     

       
201
       
+
       
      # Group varies for most ACME units, and setup files are only used

     

       
202
       
+
       
      # under the acme user.

     

       
203
       
+
       
      UMask = "0077";

     

       
204
       
+
       
    };

     

       
205
       
+
       
  };

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
206
       
 
       


     

       
207
       
 
       
  certToConfig =

     

       
208
       
 
       
    cert: data:

     
···

       
210
       
 
       
      acmeServer = data.server;

     

       
211
       
 
       
      useDns = data.dnsProvider != null;

     

       
212
       
 
       
      destPath = "/var/lib/acme/${cert}";

     

       
0
       
 
       

     

       
213
       
 
       


     

       
214
       
 
       
      # Minica and lego have a "feature" which replaces * with _. We need

     

       
215
       
 
       
      # to make this substitution to reference the output files from both programs.

     
···

       
329
       
 
       
      certificateKey = if data.csrKey != null then "${data.csrKey}" else "certificates/${keyName}.key";

     

       
330
       
 
       
    in

     

       
331
       
 
       
    {

     

       
332
       
+
       
      inherit accountHash cert;

     

       
333
       
 
       


     

       
334
       
 
       
      group = data.group;

     

       
335
       
 
       


     

       
336
       
 
       
      renewTimer = {

     

       
337
       
 
       
        description = "Renew ACME Certificate for ${cert}";

     

       
338
       
 
       
        wantedBy = [ "timers.target" ];

     

       
339
       
+
       
        # Avoid triggering certificate renewals accidentally when running s-t-c.

     

       
340
       
+
       
        unitConfig."X-OnlyManualStart" = true;

     

       
341
       
 
       
        timerConfig = {

     

       
342
       
 
       
          OnCalendar = data.renewInterval;

     

       
343
       
+
       
          Unit = "acme-order-renew-${cert}.service";

     

       
344
       
 
       
          Persistent = "yes";

     

       
345
       
 
       


     

       
346
       
 
       
          # Allow systemd to pick a convenient time within the day

     
···

       
356
       
 
       
        };

     

       
357
       
 
       
      };

     

       
358
       
 
       


     

       
359
       
+
       
      baseService = lockfileName: {

     

       
360
       
+
       
        description = "Ensure certificate for ${cert}";

     

       
361
       
+
       


     

       
362
       
+
       
        wantedBy = [ "multi-user.target" ];

     

       
363
       
+
       


     

       
364
       
 
       
        after = [ "acme-setup.service" ];

     

       
365
       
+
       


     

       
366
       
+
       
        # Whenever this service starts (on boot, through dependencies, through

     

       
367
       
+
       
        # changes) we trigger the acme-order-renew service to give it a chance

     

       
368
       
+
       
        # to catch up with the potentially changed config.

     

       
369
       
+
       
        wants = [

     

       
370
       
+
       
          "acme-setup.service"

     

       
371
       
+
       
          "acme-order-renew-${cert}.service"

     

       
372
       
+
       
        ];

     

       
373
       
+
       
        before = [ "acme-order-renew-${cert}.service" ];

     

       
374
       
+
       


     

       
375
       
+
       
        restartTriggers = [

     

       
376
       
+
       
          config.systemd.services."acme-order-renew-${cert}".script

     

       
377
       
+
       
        ];

     

       
378
       
 
       


     

       
379
       
 
       
        path = [ pkgs.minica ];

     

       
380
       
 
       


     

       
381
       
 
       
        unitConfig = {

     

       
0
       
 
       

     

       
382
       
 
       
          StartLimitIntervalSec = 0;

     

       
383
       
 
       
        };

     

       
384
       
 
       


     
···

       
386
       
 
       
          Group = data.group;

     

       
387
       
 
       
          UMask = "0027";

     

       
388
       
 
       


     

       
389
       
+
       
          RemainAfterExit = true;

     

       
390
       
+
       


     

       
391
       
 
       
          StateDirectory = "acme/${cert}";

     

       
392
       
 
       


     

       
393
       
 
       
          BindPaths = [

     

       
394
       
 
       
            "/var/lib/acme/.minica:/tmp/ca"

     

       
395
       
+
       
            "/var/lib/acme/${cert}:/tmp/out"

     

       
396
       
 
       
          ];

     

       
397
       
 
       
        };

     

       
398
       
 
       


     
···

       
400
       
 
       
        # minica will output to a folder sharing the name of the first domain

     

       
401
       
 
       
        # in the list, which will be ${data.domain}

     

       
402
       
 
       
        script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") ''

     

       
403
       
+
       
          set -ex

     

       
404
       
+
       


     

       
405
       
+
       
          # Regenerate self-signed certificates (in case the SANs change) until we

     

       
406
       
+
       
          # have seen a succesfull ACME certificate at least once.

     

       
407
       
+
       
          if [ -e out/acme-success ]; then

     

       
408
       
+
       
            exit 0

     

       
409
       
+
       
          fi

     

       
410
       
+
       


     

       
411
       
 
       
          minica \

     

       
412
       
 
       
            --ca-key ca/key.pem \

     

       
413
       
 
       
            --ca-cert ca/cert.pem \

     

       
414
       
 
       
            --domains ${lib.escapeShellArg (builtins.concatStringsSep "," ([ data.domain ] ++ extraDomains))}

     

       
415
       
 
       


     

       
416
       
 
       
          # Create files to match directory layout for real certificates

     

       
417
       
+
       
          (

     

       
418
       
+
       
            cd '${keyName}'

     

       
419
       
+
       
            cp -vp cert.pem ../out/cert.pem

     

       
420
       
+
       
            cp -vp key.pem ../out/key.pem

     

       
421
       
+
       
          )

     

       
422
       
+
       
          cat out/cert.pem ca/cert.pem > out/fullchain.pem

     

       
423
       
+
       
          cp ca/cert.pem out/chain.pem

     

       
424
       
+
       
          cat out/key.pem out/fullchain.pem > out/full.pem

     

       
425
       
 
       


     

       
426
       
+
       
          # Fix up the output files to adhere to the group and

     

       
427
       
+
       
          # have consistent permissions. This needs to be kept

     

       
428
       
+
       
          # consistent with the acme-setup script above.

     

       
429
       
+
       
          for fixpath in out certificates; do

     

       
430
       
+
       
            if [ -d "$fixpath" ]; then

     

       
431
       
+
       
              chmod -R u=rwX,g=rX,o= "$fixpath"

     

       
432
       
+
       
              chown -R ${user}:${data.group} "$fixpath"

     

       
433
       
+
       
            fi

     

       
434
       
+
       
          done

     

       
435
       
 
       


     

       
436
       
+
       
          ${lib.optionalString (data.webroot != null) ''

     

       
437
       
+
       
            # Ensure the webroot exists. Fixing group is required in case configuration was changed between runs.

     

       
438
       
+
       
            # Lego will fail if the webroot does not exist at all.

     

       
439
       
+
       
            (

     

       
440
       
+
       
              mkdir -p '${data.webroot}/.well-known/acme-challenge' \

     

       
441
       
+
       
              && chgrp '${data.group}' ${data.webroot}/.well-known/acme-challenge

     

       
442
       
+
       
            ) || (

     

       
443
       
+
       
              echo 'Please ensure ${data.webroot}/.well-known/acme-challenge exists and is writable by acme:${data.group}' \

     

       
444
       
+
       
              && exit 1

     

       
445
       
+
       
            )

     

       
446
       
+
       
          ''}

     

       
447
       
 
       
        '';

     

       
448
       
 
       
      };

     

       
449
       
 
       


     

       
450
       
+
       
      orderRenewService = lockfileName: {

     

       
451
       
+
       
        description = "Order (and renew) ACME certificate for ${cert}";

     

       
452
       
 
       
        after = [

     

       
453
       
 
       
          "network.target"

     

       
454
       
 
       
          "network-online.target"

     

       
455
       
 
       
          "acme-setup.service"

     

       
456
       
 
       
          "nss-lookup.target"

     

       
457
       
+
       
          "acme-${cert}.service"

     

       
458
       
+
       
        ];

     

       
459
       
+
       
        wants = [

     

       
460
       
+
       
          "network-online.target"

     

       
461
       
+
       
          "acme-setup.service"

     

       
462
       
+
       
          "acme-${cert}.service"

     

       
463
       
+
       
        ];

     

       
464
       
+
       
        # Ensure that certificates are generated if people use `security.acme.certs`

     

       
465
       
+
       
        # without having/declaring other systemd units that depend on the cert.

     

       
466
       
 
       


     

       
467
       
 
       
        path = with pkgs; [

     

       
468
       
 
       
          lego

     
···

       
560
       
 
       
            [[ $expiration_days -gt ${toString data.validMinDays} ]]

     

       
561
       
 
       
          }

     

       
562
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
563
       
 
       
          echo '${domainHash}' > domainhash.txt

     

       
564
       
 
       


     

       
565
       
+
       
          # Check if a new order is needed

     

       
566
       
 
       
          # We can only renew if the list of domains has not changed.

     

       
567
       
 
       
          # We also need an account key. Avoids #190493

     

       
568
       
 
       
          if cmp -s domainhash.txt certificates/domainhash.txt && [ -e '${certificateKey}' ] && [ -e 'certificates/${keyName}.crt' ] && [ -n "$(find accounts -name '${data.email}.key')" ]; then

     

       
0
       
 
       

     

       
569
       
 
       
            # Even if a cert is not expired, it may be revoked by the CA.

     

       
570
       
 
       
            # Try to renew, and silently fail if the cert is not expired.

     

       
571
       
 
       
            # Avoids #85794 and resolves #129838

     
···

       
577
       
 
       
                exit 11

     

       
578
       
 
       
              fi

     

       
579
       
 
       
            fi

     

       
580
       
+
       
          # Do a full run

     

       
0
       
 
       

     

       
581
       
 
       
          elif ! lego ${runOpts}; then

     

       
582
       
 
       
            # Produce a nice error for those doing their first nixos-rebuild with these certs

     

       
583
       
 
       
            echo Failed to fetch certificates. \

     

       
584
       
 
       
              This may mean your DNS records are set up incorrectly. \

     

       
585
       
+
       
              Self-signed certs are in place and dependant services will still start.

     

       
586
       
 
       
            # Exit 10 so that users can potentially amend SuccessExitStatus to ignore this error.

     

       
587
       
 
       
            # High number to avoid Systemd reserved codes.

     

       
588
       
 
       
            exit 10

     
···

       
590
       
 
       


     

       
591
       
 
       
          mv domainhash.txt certificates/

     

       
592
       
 
       


     

       
593
       
+
       
          touch out/acme-success

     

       
0
       
 
       

     

       
594
       
 
       


     

       
595
       
 
       
          # Copy all certs to the "real" certs directory

     

       
596
       
+
       
          # lego has only an interesting subset of files available,

     

       
597
       
+
       
          # construct reasonably compatible files that clients can consume

     

       
598
       
+
       
          # as expected.

     

       
599
       
 
       
          if ! cmp -s 'certificates/${keyName}.crt' out/fullchain.pem; then

     

       
600
       
 
       
            touch out/renewed

     

       
601
       
 
       
            echo Installing new certificate

     
···

       
606
       
 
       
            cat out/key.pem out/fullchain.pem > out/full.pem

     

       
607
       
 
       
          fi

     

       
608
       
 
       


     

       
609
       
+
       
          # Keep permissions consistent. Needs to be in sync with the other scripts.

     

       
610
       
+
       
          for fixpath in out certificates; do

     

       
611
       
+
       
            if [ -d "$fixpath" ]; then

     

       
612
       
+
       
              chmod -R u=rwX,g=rX,o= "$fixpath"

     

       
613
       
+
       
              chown -R ${user}:${data.group} "$fixpath"

     

       
614
       
+
       
            fi

     

       
615
       
+
       
          done

     

       
616
       
 
       
          # Also ensure safer permissions on the account directory.

     

       
617
       
 
       
          chmod -R u=rwX,g=,o= accounts/.

     

       
618
       
 
       
        '';

     
···

       
933
       
 
       


     

       
934
       
 
       
  options = {

     

       
935
       
 
       
    security.acme = {

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
936
       
 
       
      acceptTerms = lib.mkOption {

     

       
937
       
 
       
        type = lib.types.bool;

     

       
938
       
 
       
        default = false;

     
···

       
1018
       
 
       
      "ACME Directory is now hardcoded to /var/lib/acme and its permissions are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info."

     

       
1019
       
 
       
    )

     

       
1020
       
 
       
    (lib.mkRemovedOptionModule [ "security" "acme" "preDelay" ]

     

       
1021
       
+
       
      "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service and Before=acme-\${cert}.service to the service you want to execute before the cert renewal"

     

       
1022
       
 
       
    )

     

       
1023
       
 
       
    (lib.mkRemovedOptionModule [ "security" "acme" "activationDelay" ]

     

       
1024
       
+
       
      "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service and Before=acme-\${cert}.service to the service you want to execute before the cert renewal"

     

       
1025
       
+
       
    )

     

       
1026
       
+
       
    (lib.mkRemovedOptionModule [ "security" "acme" "preliminarySelfsigned" ]

     

       
1027
       
+
       
      "This option has been removed. Preliminary self-signed certificates are now always generated to simplify the dependency structure."

     

       
1028
       
 
       
    )

     

       
1029
       
 
       
    (lib.mkChangedOptionModule

     

       
1030
       
 
       
      [ "security" "acme" "validMin" ]

     
···

       
1179
       
 
       


     

       
1180
       
 
       
      systemd.services =

     

       
1181
       
 
       
        let

     

       
1182
       
+
       
          orderRenewServiceFunctions = lib.mapAttrs' (

     

       
1183
       
+
       
            cert: conf: lib.nameValuePair "acme-order-renew-${cert}" conf.orderRenewService

     

       
1184
       
 
       
          ) certConfigs;

     

       
1185
       
+
       
          orderRenewServices =

     

       
1186
       
 
       
            if cfg.maxConcurrentRenewals > 0 then

     

       
1187
       
+
       
              roundRobinApplyAttrs orderRenewServiceFunctions concurrencyLockfiles

     

       
1188
       
 
       
            else

     

       
1189
       
+
       
              lib.mapAttrs (_: f: f null) orderRenewServiceFunctions;

     

       
1190
       
+
       
          baseServiceFunctions = lib.mapAttrs' (

     

       
1191
       
+
       
            cert: conf: lib.nameValuePair "acme-${cert}" conf.baseService

     

       
1192
       
 
       
          ) certConfigs;

     

       
1193
       
+
       
          baseServices =

     

       
1194
       
 
       
            if cfg.maxConcurrentRenewals > 0 then

     

       
1195
       
+
       
              roundRobinApplyAttrs baseServiceFunctions concurrencyLockfiles

     

       
1196
       
 
       
            else

     

       
1197
       
+
       
              lib.mapAttrs (_: f: f null) baseServiceFunctions;

     

       
1198
       
 
       
        in

     

       
1199
       
 
       
        {

     

       
1200
       
 
       
          acme-setup = setupService;

     

       
1201
       
 
       
        }

     

       
1202
       
+
       
        // baseServices

     

       
1203
       
+
       
        // orderRenewServices;

     

       
1204
       
 
       


     

       
1205
       
 
       
      systemd.timers = lib.mapAttrs' (

     

       
1206
       
+
       
        cert: conf: lib.nameValuePair "acme-renew-${cert}" conf.renewTimer

     

       
1207
       
 
       
      ) certConfigs;

     

       
1208
       
 
       


     

       
1209
       
 
       
      systemd.targets =

     

       
1210
       
 
       
        let

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
1211
       
 
       
          # Create targets to limit the number of simultaneous account creations

     

       
1212
       
 
       
          # How it works:

     

       
1213
       
 
       
          # - Pick a "leader" cert service, which will be in charge of creating the account,

     
···

       
1222
       
 
       
            let

     

       
1223
       
 
       
              dnsConfs = builtins.filter (conf: cfg.certs.${conf.cert}.dnsProvider != null) confs;

     

       
1224
       
 
       
              leaderConf = if dnsConfs != [ ] then builtins.head dnsConfs else builtins.head confs;

     

       
1225
       
+
       
              leader = "acme-order-renew-${leaderConf.cert}.service";

     

       
1226
       
+
       
              followers = map (conf: "acme-order-renew-${conf.cert}.service") (

     

       
1227
       
 
       
                builtins.filter (conf: conf != leaderConf) confs

     

       
1228
       
 
       
              );

     

       
1229
       
 
       
            in

     
···

       
1232
       
 
       
              before = followers;

     

       
1233
       
 
       
              requires = [ leader ];

     

       
1234
       
 
       
              after = [ leader ];

     

       
1235
       
+
       
              unitConfig.RefuseManualStart = true;

     

       
1236
       
 
       
            }

     

       
1237
       
 
       
          ) (lib.groupBy (conf: conf.accountHash) (lib.attrValues certConfigs));

     

       
1238
       
 
       
        in

     

       
1239
       
+
       
        accountTargets;

     

       
1240
       
 
       
    })

     

       
1241
       
 
       
  ];

     

       
1242
       
 
       


     

···

       
156
       
 
       
        "network.target"

     

       
157
       
 
       
      ]

     

       
158
       
 
       
      ++ lib.optional (cfg.useACMEHost != null) "acme-${cfg.useACMEHost}.service";

     

       
159
       
-
       
      wants = lib.optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target";

     

       
160
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
161
       
 
       
      serviceConfig = {

     

       
162
       
 
       
        AmbientCapabilities = "CAP_NET_BIND_SERVICE";

     

···

       
156
       
 
       
        "network.target"

     

       
157
       
 
       
      ]

     

       
158
       
 
       
      ++ lib.optional (cfg.useACMEHost != null) "acme-${cfg.useACMEHost}.service";

     

       
159
       
+
       
      wants = lib.optional (cfg.useACMEHost != null) "acme-${cfg.useACMEHost}.service";

     

       
160
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
161
       
 
       
      serviceConfig = {

     

       
162
       
 
       
        AmbientCapabilities = "CAP_NET_BIND_SERVICE";

     

···

       
48
       
 
       
  ) (filter (hostOpts: hostOpts.enableACME || hostOpts.useACMEHost != null) vhosts);

     

       
49
       
 
       


     

       
50
       
 
       
  vhostCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);

     

       
51
       
-
       
  dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server

     

       
52
       
-
       
  independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server

     

       
53
       
 
       


     

       
54
       
 
       
  mkListenInfo =

     

       
55
       
 
       
    hostOpts:

     
···

       
914
       
 
       
    systemd.services.httpd = {

     

       
915
       
 
       
      description = "Apache HTTPD";

     

       
916
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
917
       
-
       
      wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) vhostCertNames);

     

       
918
       
 
       
      after = [

     

       
919
       
 
       
        "network.target"

     

       
920
       
 
       
      ]

     

       
921
       
-
       
      ++ map (certName: "acme-selfsigned-${certName}.service") vhostCertNames

     

       
922
       
-
       
      ++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa

     

       
923
       
-
       
      before = map (certName: "acme-${certName}.service") dependentCertNames;

     

       
0
       
 
       

     

       
924
       
 
       
      restartTriggers = [ cfg.configFile ];

     

       
925
       
 
       


     

       
926
       
 
       
      path = [

     
···

       
960
       
 
       


     

       
961
       
 
       
    # postRun hooks on cert renew can't be used to restart Apache since renewal

     

       
962
       
 
       
    # runs as the unprivileged acme user. sslTargets are added to wantedBy + before

     

       
963
       
-
       
    # which allows the acme-finished-$cert.target to signify the successful updating

     

       
964
       
 
       
    # of certs end-to-end.

     

       
965
       
 
       
    systemd.services.httpd-config-reload =

     

       
966
       
 
       
      let

     

       
967
       
-
       
        sslServices = map (certName: "acme-${certName}.service") vhostCertNames;

     

       
968
       
-
       
        sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames;

     

       
969
       
 
       
      in

     

       
970
       
 
       
      mkIf (vhostCertNames != [ ]) {

     

       
971
       
 
       
        wantedBy = sslServices ++ [ "multi-user.target" ];

     

       
972
       
 
       
        # Before the finished targets, after the renew services.

     

       
973
       
 
       
        # This service might be needed for HTTP-01 challenges, but we only want to confirm

     

       
974
       
 
       
        # certs are updated _after_ config has been reloaded.

     

       
975
       
-
       
        before = sslTargets;

     

       
976
       
 
       
        after = sslServices;

     

       
977
       
 
       
        restartTriggers = [ cfg.configFile ];

     

       
978
       
 
       
        # Block reloading if not all certs exist yet.

     

···

       
48
       
 
       
  ) (filter (hostOpts: hostOpts.enableACME || hostOpts.useACMEHost != null) vhosts);

     

       
49
       
 
       


     

       
50
       
 
       
  vhostCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);

     

       
0
       
 
       

     

       
0
       
 
       

     

       
51
       
 
       


     

       
52
       
 
       
  mkListenInfo =

     

       
53
       
 
       
    hostOpts:

     
···

       
912
       
 
       
    systemd.services.httpd = {

     

       
913
       
 
       
      description = "Apache HTTPD";

     

       
914
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
915
       
+
       
      wants = concatLists (map (certName: [ "acme-${certName}.service" ]) vhostCertNames);

     

       
916
       
 
       
      after = [

     

       
917
       
 
       
        "network.target"

     

       
918
       
 
       
      ]

     

       
919
       
+
       
      # Ensure httpd runs with baseline certificates in place.

     

       
920
       
+
       
      ++ map (certName: "acme-${certName}.service") vhostCertNames;

     

       
921
       
+
       
      # Ensure httpd runs (with current config) before the actual ACME jobs run

     

       
922
       
+
       
      before = map (certName: "acme-order-renew-${certName}.service") vhostCertNames;

     

       
923
       
 
       
      restartTriggers = [ cfg.configFile ];

     

       
924
       
 
       


     

       
925
       
 
       
      path = [

     
···

       
959
       
 
       


     

       
960
       
 
       
    # postRun hooks on cert renew can't be used to restart Apache since renewal

     

       
961
       
 
       
    # runs as the unprivileged acme user. sslTargets are added to wantedBy + before

     

       
962
       
+
       
    # which allows the acme-order-renew-$cert.service to signify the successful updating

     

       
963
       
 
       
    # of certs end-to-end.

     

       
964
       
 
       
    systemd.services.httpd-config-reload =

     

       
965
       
 
       
      let

     

       
966
       
+
       
        sslServices = map (certName: "acme-order-renew-${certName}.service") vhostCertNames;

     

       
0
       
 
       

     

       
967
       
 
       
      in

     

       
968
       
 
       
      mkIf (vhostCertNames != [ ]) {

     

       
969
       
 
       
        wantedBy = sslServices ++ [ "multi-user.target" ];

     

       
970
       
 
       
        # Before the finished targets, after the renew services.

     

       
971
       
 
       
        # This service might be needed for HTTP-01 challenges, but we only want to confirm

     

       
972
       
 
       
        # certs are updated _after_ config has been reloaded.

     

       
0
       
 
       

     

       
973
       
 
       
        after = sslServices;

     

       
974
       
 
       
        restartTriggers = [ cfg.configFile ];

     

       
975
       
 
       
        # Block reloading if not all certs exist yet.

     

···

       
14
       
 
       
  virtualHosts = attrValues cfg.virtualHosts;

     

       
15
       
 
       
  acmeEnabledVhosts = filter (hostOpts: hostOpts.useACMEHost != null) virtualHosts;

     

       
16
       
 
       
  vhostCertNames = unique (map (hostOpts: hostOpts.useACMEHost) acmeEnabledVhosts);

     

       
17
       
-
       
  dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server

     

       
18
       
-
       
  independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server

     

       
19
       
 
       


     

       
20
       
 
       
  mkVHostConf =

     

       
21
       
 
       
    hostOpts:

     

       
22
       
 
       
    let

     

       
23
       
-
       
      sslCertDir = config.security.acme.certs.${hostOpts.useACMEHost}.directory;

     

       
24
       
 
       
    in

     

       
25
       
 
       
    ''

     

       
26
       
 
       
      ${hostOpts.hostName} ${concatStringsSep " " hostOpts.serverAliases} {

     
···

       
392
       
 
       
    ++ map (

     

       
393
       
 
       
      name:

     

       
394
       
 
       
      mkCertOwnershipAssertion {

     

       
395
       
-
       
        cert = config.security.acme.certs.${name};

     

       
396
       
 
       
        groups = config.users.groups;

     

       
397
       
 
       
        services = [ config.systemd.services.caddy ];

     

       
398
       
 
       
      }

     
···

       
412
       
 
       


     

       
413
       
 
       
    systemd.packages = [ cfg.package ];

     

       
414
       
 
       
    systemd.services.caddy = {

     

       
415
       
-
       
      wants = map (certName: "acme-finished-${certName}.target") vhostCertNames;

     

       
416
       
-
       
      after =

     

       
417
       
-
       
        map (certName: "acme-selfsigned-${certName}.service") vhostCertNames

     

       
418
       
-
       
        ++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa

     

       
419
       
-
       
      before = map (certName: "acme-${certName}.service") dependentCertNames;

     

       
420
       
 
       


     

       
421
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
422
       
 
       
      startLimitIntervalSec = 14400;

     

···

       
14
       
 
       
  virtualHosts = attrValues cfg.virtualHosts;

     

       
15
       
 
       
  acmeEnabledVhosts = filter (hostOpts: hostOpts.useACMEHost != null) virtualHosts;

     

       
16
       
 
       
  vhostCertNames = unique (map (hostOpts: hostOpts.useACMEHost) acmeEnabledVhosts);

     

       
0
       
 
       

     

       
0
       
 
       

     

       
17
       
 
       


     

       
18
       
 
       
  mkVHostConf =

     

       
19
       
 
       
    hostOpts:

     

       
20
       
 
       
    let

     

       
21
       
+
       
      sslCertDir = certs.${hostOpts.useACMEHost}.directory;

     

       
22
       
 
       
    in

     

       
23
       
 
       
    ''

     

       
24
       
 
       
      ${hostOpts.hostName} ${concatStringsSep " " hostOpts.serverAliases} {

     
···

       
390
       
 
       
    ++ map (

     

       
391
       
 
       
      name:

     

       
392
       
 
       
      mkCertOwnershipAssertion {

     

       
393
       
+
       
        cert = certs.${name};

     

       
394
       
 
       
        groups = config.users.groups;

     

       
395
       
 
       
        services = [ config.systemd.services.caddy ];

     

       
396
       
 
       
      }

     
···

       
410
       
 
       


     

       
411
       
 
       
    systemd.packages = [ cfg.package ];

     

       
412
       
 
       
    systemd.services.caddy = {

     

       
413
       
+
       
      wants = map (certName: "acme-${certName}.service") vhostCertNames;

     

       
414
       
+
       
      after = map (certName: "acme-${certName}.service") vhostCertNames;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
415
       
 
       


     

       
416
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
417
       
 
       
      startLimitIntervalSec = 14400;

     

···

       
434
       
 
       
    systemd.services.h2o = {

     

       
435
       
 
       
      description = "H2O HTTP server";

     

       
436
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
437
       
-
       
      wants = lib.concatLists (map (certName: [ "acme-finished-${certName}.target" ]) acmeCertNames.all);

     

       
438
       
 
       
      # Since H2O will be hosting the challenges, H2O must be started

     

       
439
       
-
       
      before = builtins.map (certName: "acme-${certName}.service") acmeCertNames.dependent;

     

       
440
       
 
       
      after = [

     

       
441
       
 
       
        "network.target"

     

       
442
       
 
       
      ]

     

       
443
       
-
       
      ++ builtins.map (certName: "acme-selfsigned-${certName}.service") acmeCertNames.all

     

       
444
       
-
       
      ++ builtins.map (certName: "acme-${certName}.service") acmeCertNames.independent; # avoid loading self-signed key w/ real cert, or vice-versa

     

       
445
       
 
       


     

       
446
       
 
       
      serviceConfig = {

     

       
447
       
 
       
        ExecStart = "${h2oExe} --mode 'master'";

     
···

       
490
       
 
       


     

       
491
       
 
       
    # This service waits for all certificates to be available before reloading

     

       
492
       
 
       
    # H2O configuration. `tlsTargets` are added to `wantedBy` + `before` which

     

       
493
       
-
       
    # allows the `acme-finished-$cert.target` to signify the successful updating

     

       
494
       
 
       
    # of certs end-to-end.

     

       
495
       
 
       
    systemd.services.h2o-config-reload =

     

       
496
       
 
       
      let

     

       
497
       
-
       
        tlsTargets = map (certName: "acme-${certName}.target") acmeCertNames.all;

     

       
498
       
-
       
        tlsServices = map (certName: "acme-${certName}.service") acmeCertNames.all;

     

       
499
       
 
       
      in

     

       
500
       
 
       
      mkIf (acmeCertNames.all != [ ]) {

     

       
501
       
 
       
        wantedBy = tlsServices ++ [ "multi-user.target" ];

     

       
502
       
-
       
        before = tlsTargets;

     

       
503
       
 
       
        after = tlsServices;

     

       
504
       
 
       
        unitConfig = {

     

       
505
       
 
       
          ConditionPathExists = map (

     

···

       
434
       
 
       
    systemd.services.h2o = {

     

       
435
       
 
       
      description = "H2O HTTP server";

     

       
436
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
437
       
+
       
      wants = lib.concatLists (map (certName: [ "acme-${certName}.service" ]) acmeCertNames.all);

     

       
438
       
 
       
      # Since H2O will be hosting the challenges, H2O must be started

     

       
439
       
+
       
      before = builtins.map (certName: "acme-order-renew-${certName}.service") acmeCertNames.all;

     

       
440
       
 
       
      after = [

     

       
441
       
 
       
        "network.target"

     

       
442
       
 
       
      ]

     

       
443
       
+
       
      ++ builtins.map (certName: "acme-${certName}.service") acmeCertNames.all;

     

       
0
       
 
       

     

       
444
       
 
       


     

       
445
       
 
       
      serviceConfig = {

     

       
446
       
 
       
        ExecStart = "${h2oExe} --mode 'master'";

     
···

       
489
       
 
       


     

       
490
       
 
       
    # This service waits for all certificates to be available before reloading

     

       
491
       
 
       
    # H2O configuration. `tlsTargets` are added to `wantedBy` + `before` which

     

       
492
       
+
       
    # allows the `acme-order-renew-$cert.service` to signify the successful updating

     

       
493
       
 
       
    # of certs end-to-end.

     

       
494
       
 
       
    systemd.services.h2o-config-reload =

     

       
495
       
 
       
      let

     

       
496
       
+
       
        tlsServices = map (certName: "acme-order-renew-${certName}.service") acmeCertNames.all;

     

       
0
       
 
       

     

       
497
       
 
       
      in

     

       
498
       
 
       
      mkIf (acmeCertNames.all != [ ]) {

     

       
499
       
 
       
        wantedBy = tlsServices ++ [ "multi-user.target" ];

     

       
0
       
 
       

     

       
500
       
 
       
        after = tlsServices;

     

       
501
       
 
       
        unitConfig = {

     

       
502
       
 
       
          ConditionPathExists = map (

     

···

       
15
       
 
       
    vhostConfig: vhostConfig.enableACME || vhostConfig.useACMEHost != null

     

       
16
       
 
       
  ) vhostsConfigs;

     

       
17
       
 
       
  vhostCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);

     

       
18
       
-
       
  dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server

     

       
19
       
-
       
  independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server

     

       
20
       
 
       
  virtualHosts = mapAttrs (

     

       
21
       
 
       
    vhostName: vhostConfig:

     

       
22
       
 
       
    let

     
···

       
442
       
 
       
                  auth_basic off;

     

       
443
       
 
       
                  auth_request off;

     

       
444
       
 
       
                  proxy_pass http://${vhost.acmeFallbackHost};

     

       
0
       
 
       

     

       
445
       
 
       
                }

     

       
446
       
 
       
              ''}

     

       
447
       
 
       
            '';

     
···

       
1481
       
 
       
    systemd.services.nginx = {

     

       
1482
       
 
       
      description = "Nginx Web Server";

     

       
1483
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
1484
       
-
       
      wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) vhostCertNames);

     

       
1485
       
 
       
      after = [

     

       
1486
       
 
       
        "network.target"

     

       
1487
       
 
       
      ]

     

       
1488
       
-
       
      ++ map (certName: "acme-selfsigned-${certName}.service") vhostCertNames

     

       
1489
       
-
       
      ++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa

     

       
1490
       
-
       
      # Nginx needs to be started in order to be able to request certificates

     

       
1491
       
-
       
      # (it's hosting the acme challenge after all)

     

       
1492
       
-
       
      # This fixes https://github.com/NixOS/nixpkgs/issues/81842

     

       
1493
       
-
       
      before = map (certName: "acme-${certName}.service") dependentCertNames;

     

       
1494
       
 
       
      stopIfChanged = false;

     

       
1495
       
 
       
      preStart = ''

     

       
1496
       
 
       
        ${cfg.preStart}

     
···

       
1585
       
 
       
    # This service waits for all certificates to be available

     

       
1586
       
 
       
    # before reloading nginx configuration.

     

       
1587
       
 
       
    # sslTargets are added to wantedBy + before

     

       
1588
       
-
       
    # which allows the acme-finished-$cert.target to signify the successful updating

     

       
1589
       
 
       
    # of certs end-to-end.

     

       
1590
       
 
       
    systemd.services.nginx-config-reload =

     

       
1591
       
 
       
      let

     

       
1592
       
-
       
        sslServices = map (certName: "acme-${certName}.service") vhostCertNames;

     

       
1593
       
-
       
        sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames;

     

       
1594
       
 
       
      in

     

       
1595
       
 
       
      mkIf (cfg.enableReload || vhostCertNames != [ ]) {

     

       
1596
       
 
       
        wants = optionals cfg.enableReload [ "nginx.service" ];

     

       
1597
       
-
       
        wantedBy = sslServices ++ [ "multi-user.target" ];

     

       
1598
       
-
       
        # Before the finished targets, after the renew services.

     

       
1599
       
 
       
        # This service might be needed for HTTP-01 challenges, but we only want to confirm

     

       
1600
       
 
       
        # certs are updated _after_ config has been reloaded.

     

       
1601
       
-
       
        before = sslTargets;

     

       
1602
       
-
       
        after = sslServices;

     

       
1603
       
 
       
        restartTriggers = optionals cfg.enableReload [ configFile ];

     

       
1604
       
 
       
        # Block reloading if not all certs exist yet.

     

       
1605
       
 
       
        # Happens when config changes add new vhosts/certs.

     

       
1606
       
 
       
        unitConfig = {

     

       
1607
       
-
       
          ConditionPathExists = optionals (sslServices != [ ]) (

     

       
1608
       
 
       
            map (certName: certs.${certName}.directory + "/fullchain.pem") vhostCertNames

     

       
1609
       
 
       
          );

     

       
1610
       
 
       
          # Disable rate limiting for this, because it may be triggered quickly a bunch of times

     

···

       
15
       
 
       
    vhostConfig: vhostConfig.enableACME || vhostConfig.useACMEHost != null

     

       
16
       
 
       
  ) vhostsConfigs;

     

       
17
       
 
       
  vhostCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);

     

       
0
       
 
       

     

       
0
       
 
       

     

       
18
       
 
       
  virtualHosts = mapAttrs (

     

       
19
       
 
       
    vhostName: vhostConfig:

     

       
20
       
 
       
    let

     
···

       
440
       
 
       
                  auth_basic off;

     

       
441
       
 
       
                  auth_request off;

     

       
442
       
 
       
                  proxy_pass http://${vhost.acmeFallbackHost};

     

       
443
       
+
       
                  proxy_set_header Host $host;

     

       
444
       
 
       
                }

     

       
445
       
 
       
              ''}

     

       
446
       
 
       
            '';

     
···

       
1480
       
 
       
    systemd.services.nginx = {

     

       
1481
       
 
       
      description = "Nginx Web Server";

     

       
1482
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
1483
       
+
       
      wants = concatLists (map (certName: [ "acme-${certName}.service" ]) vhostCertNames);

     

       
1484
       
 
       
      after = [

     

       
1485
       
 
       
        "network.target"

     

       
1486
       
 
       
      ]

     

       
1487
       
+
       
      # Ensure nginx runs with baseline certificates in place.

     

       
1488
       
+
       
      ++ map (certName: "acme-${certName}.service") vhostCertNames;

     

       
1489
       
+
       
      # Ensure nginx runs (with current config) before the actual ACME jobs run

     

       
1490
       
+
       
      before = map (certName: "acme-order-renew-${certName}.service") vhostCertNames;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
1491
       
 
       
      stopIfChanged = false;

     

       
1492
       
 
       
      preStart = ''

     

       
1493
       
 
       
        ${cfg.preStart}

     
···

       
1582
       
 
       
    # This service waits for all certificates to be available

     

       
1583
       
 
       
    # before reloading nginx configuration.

     

       
1584
       
 
       
    # sslTargets are added to wantedBy + before

     

       
1585
       
+
       
    # which allows the acme-order-renew-$cert.service to signify the successful updating

     

       
1586
       
 
       
    # of certs end-to-end.

     

       
1587
       
 
       
    systemd.services.nginx-config-reload =

     

       
1588
       
 
       
      let

     

       
1589
       
+
       
        sslOrderRenewServices = map (certName: "acme-order-renew-${certName}.service") vhostCertNames;

     

       
0
       
 
       

     

       
1590
       
 
       
      in

     

       
1591
       
 
       
      mkIf (cfg.enableReload || vhostCertNames != [ ]) {

     

       
1592
       
 
       
        wants = optionals cfg.enableReload [ "nginx.service" ];

     

       
1593
       
+
       
        wantedBy = sslOrderRenewServices ++ [ "multi-user.target" ];

     

       
1594
       
+
       
        # XXX Before the finished targets, after the renew services.

     

       
1595
       
 
       
        # This service might be needed for HTTP-01 challenges, but we only want to confirm

     

       
1596
       
 
       
        # certs are updated _after_ config has been reloaded.

     

       
1597
       
+
       
        after = sslOrderRenewServices;

     

       
0
       
 
       

     

       
1598
       
 
       
        restartTriggers = optionals cfg.enableReload [ configFile ];

     

       
1599
       
 
       
        # Block reloading if not all certs exist yet.

     

       
1600
       
 
       
        # Happens when config changes add new vhosts/certs.

     

       
1601
       
 
       
        unitConfig = {

     

       
1602
       
+
       
          ConditionPathExists = optionals (vhostCertNames != [ ]) (

     

       
1603
       
 
       
            map (certName: certs.${certName}.directory + "/fullchain.pem") vhostCertNames

     

       
1604
       
 
       
          );

     

       
1605
       
 
       
          # Disable rate limiting for this, because it may be triggered quickly a bunch of times

     

···

       
72
       
 
       
        wants = [

     

       
73
       
 
       
          "network.target"

     

       
74
       
 
       
        ]

     

       
75
       
-
       
        ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");

     

       
76
       
 
       
        after = [

     

       
77
       
 
       
          "network.target"

     

       
78
       
 
       
        ]

     

       
79
       
-
       
        ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");

     

       
80
       
 
       
        wantedBy = [ "multi-user.target" ];

     

       
81
       
 
       
        environment = optionalAttrs (cfg.useACMEHost != null) {

     

       
82
       
 
       
          CERTIFICATE_FILE = "fullchain.pem";

     
···

       
127
       
 
       


     

       
128
       
 
       
      # postRun hooks on cert renew can't be used to restart Nginx since renewal

     

       
129
       
 
       
      # runs as the unprivileged acme user. sslTargets are added to wantedBy + before

     

       
130
       
-
       
      # which allows the acme-finished-$cert.target to signify the successful updating

     

       
131
       
 
       
      # of certs end-to-end.

     

       
132
       
 
       
      systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {

     

       
133
       
 
       
        # TODO(lukegb): figure out how to make config reloading work with credentials.

     

       
134
       
 
       


     

       
135
       
 
       
        wantedBy = [

     

       
136
       
-
       
          "acme-finished-${cfg.useACMEHost}.target"

     

       
137
       
 
       
          "multi-user.target"

     

       
138
       
 
       
        ];

     

       
139
       
-
       
        # Before the finished targets, after the renew services.

     

       
140
       
-
       
        before = [ "acme-finished-${cfg.useACMEHost}.target" ];

     

       
141
       
-
       
        after = [ "acme-${cfg.useACMEHost}.service" ];

     

       
142
       
 
       
        # Block reloading if not all certs exist yet.

     

       
143
       
 
       
        unitConfig.ConditionPathExists = [

     

       
144
       
 
       
          "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem"

     

···

       
72
       
 
       
        wants = [

     

       
73
       
 
       
          "network.target"

     

       
74
       
 
       
        ]

     

       
75
       
+
       
        ++ (optional (cfg.useACMEHost != null) "acme-${cfg.useACMEHost}.service");

     

       
76
       
 
       
        after = [

     

       
77
       
 
       
          "network.target"

     

       
78
       
 
       
        ]

     

       
79
       
+
       
        ++ (optional (cfg.useACMEHost != null) "acme-${cfg.useACMEHost}.service");

     

       
80
       
 
       
        wantedBy = [ "multi-user.target" ];

     

       
81
       
 
       
        environment = optionalAttrs (cfg.useACMEHost != null) {

     

       
82
       
 
       
          CERTIFICATE_FILE = "fullchain.pem";

     
···

       
127
       
 
       


     

       
128
       
 
       
      # postRun hooks on cert renew can't be used to restart Nginx since renewal

     

       
129
       
 
       
      # runs as the unprivileged acme user. sslTargets are added to wantedBy + before

     

       
130
       
+
       
      # which allows the acme-order-renew-$cert.target to signify the successful updating

     

       
131
       
 
       
      # of certs end-to-end.

     

       
132
       
 
       
      systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {

     

       
133
       
 
       
        # TODO(lukegb): figure out how to make config reloading work with credentials.

     

       
134
       
 
       


     

       
135
       
 
       
        wantedBy = [

     

       
136
       
+
       
          "acme-order-renew-${cfg.useACMEHost}.service"

     

       
137
       
 
       
          "multi-user.target"

     

       
138
       
 
       
        ];

     

       
139
       
+
       
        after = [ "acme-order-renew-${cfg.useACMEHost}.service" ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
140
       
 
       
        # Block reloading if not all certs exist yet.

     

       
141
       
 
       
        unitConfig.ConditionPathExists = [

     

       
142
       
 
       
          "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem"

     

···

       
85
       
 
       
      ca_domain = "${nodes.acme.test-support.acme.caDomain}"

     

       
86
       
 
       
      fqdn = "${nodes.caddy.networking.fqdn}"

     

       
87
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
88
       
 
       
      acme.start()

     

       
89
       
 
       
      wait_for_running(acme)

     

       
90
       
 
       
      acme.wait_for_open_port(443)

     

       
91
       
 
       


     

       
92
       
-
       
      with subtest("Boot and acquire a new cert"):

     

       
93
       
-
       
          caddy.start()

     

       
94
       
-
       
          wait_for_running(caddy)

     

       
95
       
-
       


     

       
96
       
 
       
          check_issuer(caddy, fqdn, "pebble")

     

       
97
       
 
       
          check_domain(caddy, fqdn, fqdn)

     

       
98
       
-
       


     

       
99
       
 
       
          download_ca_certs(caddy, ca_domain)

     

       
100
       
-
       
          check_connection(caddy, fqdn)

     

       
101
       
-
       


     

       
102
       
-
       
      with subtest("Can run on selfsigned certificates"):

     

       
103
       
-
       
          # Switch to selfsigned first

     

       
104
       
-
       
          caddy.succeed(f"systemctl clean acme-{fqdn}.service --what=state")

     

       
105
       
-
       
          caddy.succeed(f"systemctl start acme-selfsigned-{fqdn}.service")

     

       
106
       
-
       
          check_issuer(caddy, fqdn, "minica")

     

       
107
       
-
       
          caddy.succeed("systemctl restart caddy.service")

     

       
108
       
-
       
          # Check that the web server has picked up the selfsigned cert

     

       
109
       
-
       
          check_connection(caddy, fqdn, minica=True)

     

       
110
       
-
       
          caddy.succeed(f"systemctl start acme-{fqdn}.service")

     

       
111
       
-
       
          # This may fail a couple of times before caddy is restarted

     

       
112
       
-
       
          check_issuer(caddy, fqdn, "pebble")

     

       
113
       
 
       
          check_connection(caddy, fqdn)

     

       
114
       
 
       


     

       
115
       
 
       
      with subtest("security.acme changes reflect on caddy"):

     

···

       
85
       
 
       
      ca_domain = "${nodes.acme.test-support.acme.caDomain}"

     

       
86
       
 
       
      fqdn = "${nodes.caddy.networking.fqdn}"

     

       
87
       
 
       


     

       
88
       
+
       
      with subtest("Boot and start with selfsigned certificates"):

     

       
89
       
+
       
          caddy.start()

     

       
90
       
+
       
          caddy.wait_for_unit("caddy.service")

     

       
91
       
+
       
          check_issuer(caddy, fqdn, "minica")

     

       
92
       
+
       
          # Check that the web server has picked up the selfsigned cert

     

       
93
       
+
       
          check_connection(caddy, fqdn, minica=True)

     

       
94
       
+
       


     

       
95
       
 
       
      acme.start()

     

       
96
       
 
       
      wait_for_running(acme)

     

       
97
       
 
       
      acme.wait_for_open_port(443)

     

       
98
       
 
       


     

       
99
       
+
       
      with subtest("Acquire a new cert"):

     

       
100
       
+
       
          caddy.succeed(f"systemctl restart acme-{fqdn}.service")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
101
       
 
       
          check_issuer(caddy, fqdn, "pebble")

     

       
102
       
 
       
          check_domain(caddy, fqdn, fqdn)

     

       
0
       
 
       

     

       
103
       
 
       
          download_ca_certs(caddy, ca_domain)

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
104
       
 
       
          check_connection(caddy, fqdn)

     

       
105
       
 
       


     

       
106
       
 
       
      with subtest("security.acme changes reflect on caddy"):

     

···

       
1
       
 
       
{ runTest }:

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
2
       
 
       
{

     

       
3
       
 
       
  http01-builtin = runTest ./http01-builtin.nix;

     

       
4
       
 
       
  dns01 = runTest ./dns01.nix;

     

       
5
       
 
       
  caddy = runTest ./caddy.nix;

     

       
6
       
 
       
  nginx = runTest (

     

       
7
       
 
       
    import ./webserver.nix {

     

       
0
       
 
       

     

       
8
       
 
       
      serverName = "nginx";

     

       
9
       
 
       
      group = "nginx";

     

       
10
       
 
       
      baseModule = {

     
···

       
22
       
 
       
            addSSL = true;

     

       
23
       
 
       
            useACMEHost = "proxied.example.test";

     

       
24
       
 
       
            acmeFallbackHost = "localhost:8080";

     

       
25
       
-
       
            # lego will refuse the request if the host header is not correct

     

       
26
       
-
       
            extraConfig = ''

     

       
27
       
-
       
              proxy_set_header Host $host;

     

       
28
       
-
       
            '';

     

       
29
       
 
       
          };

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
30
       
 
       
        };

     

       
31
       
 
       
      };

     

       
32
       
 
       
    }

     

       
33
       
 
       
  );

     

       
34
       
 
       
  httpd = runTest (

     

       
35
       
 
       
    import ./webserver.nix {

     

       
0
       
 
       

     

       
36
       
 
       
      serverName = "httpd";

     

       
37
       
 
       
      group = "wwwrun";

     

       
38
       
 
       
      baseModule = {

     
···

       
44
       
 
       
            useACMEHost = "proxied.example.test";

     

       
45
       
 
       
            locations."/.well-known/acme-challenge" = {

     

       
46
       
 
       
              proxyPass = "http://localhost:8080/.well-known/acme-challenge";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
47
       
 
       
              extraConfig = ''

     

       
48
       
 
       
                ProxyPreserveHost On

     

       
49
       
 
       
              '';

     

···

       
1
       
 
       
{ runTest }:

     

       
2
       
+
       
let

     

       
3
       
+
       
  domain = "example.test";

     

       
4
       
+
       
in

     

       
5
       
 
       
{

     

       
6
       
 
       
  http01-builtin = runTest ./http01-builtin.nix;

     

       
7
       
 
       
  dns01 = runTest ./dns01.nix;

     

       
8
       
 
       
  caddy = runTest ./caddy.nix;

     

       
9
       
 
       
  nginx = runTest (

     

       
10
       
 
       
    import ./webserver.nix {

     

       
11
       
+
       
      inherit domain;

     

       
12
       
 
       
      serverName = "nginx";

     

       
13
       
 
       
      group = "nginx";

     

       
14
       
 
       
      baseModule = {

     
···

       
26
       
 
       
            addSSL = true;

     

       
27
       
 
       
            useACMEHost = "proxied.example.test";

     

       
28
       
 
       
            acmeFallbackHost = "localhost:8080";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
29
       
 
       
          };

     

       
30
       
+
       
        };

     

       
31
       
+
       
        specialisation.nullroot.configuration = {

     

       
32
       
+
       
          services.nginx.virtualHosts."nullroot.${domain}".acmeFallbackHost = "localhost:8081";

     

       
33
       
 
       
        };

     

       
34
       
 
       
      };

     

       
35
       
 
       
    }

     

       
36
       
 
       
  );

     

       
37
       
 
       
  httpd = runTest (

     

       
38
       
 
       
    import ./webserver.nix {

     

       
39
       
+
       
      inherit domain;

     

       
40
       
 
       
      serverName = "httpd";

     

       
41
       
 
       
      group = "wwwrun";

     

       
42
       
 
       
      baseModule = {

     
···

       
48
       
 
       
            useACMEHost = "proxied.example.test";

     

       
49
       
 
       
            locations."/.well-known/acme-challenge" = {

     

       
50
       
 
       
              proxyPass = "http://localhost:8080/.well-known/acme-challenge";

     

       
51
       
+
       
              extraConfig = ''

     

       
52
       
+
       
                ProxyPreserveHost On

     

       
53
       
+
       
              '';

     

       
54
       
+
       
            };

     

       
55
       
+
       
          };

     

       
56
       
+
       
        };

     

       
57
       
+
       
        specialisation.nullroot.configuration = {

     

       
58
       
+
       
          services.httpd.virtualHosts."nullroot.${domain}" = {

     

       
59
       
+
       
            locations."/.well-known/acme-challenge" = {

     

       
60
       
+
       
              proxyPass = "http://localhost:8081/.well-known/acme-challenge";

     

       
61
       
 
       
              extraConfig = ''

     

       
62
       
 
       
                ProxyPreserveHost On

     

       
63
       
 
       
              '';

     

···

       
37
       
 
       
          listenHTTP = ":80";

     

       
38
       
 
       
        };

     

       
39
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
40
       
 
       
        specialisation = {

     

       
41
       
 
       
          renew.configuration = {

     

       
42
       
 
       
            # Pebble provides 5 year long certs,

     
···

       
177
       
 
       
          # old_hash will be used in the preservation tests later

     

       
178
       
 
       
          old_hash = hash

     

       
179
       
 
       
          builtin.succeed(f"systemctl start acme-{cert}.service")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
180
       
 
       
          hash_after = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem")

     

       
181
       
 
       
          assert hash == hash_after, "Certificate was unexpectedly changed"

     

       
182
       
 
       


     

       
0
       
 
       

     

       
183
       
 
       
          switch_to(builtin, "renew")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
184
       
 
       
          check_issuer(builtin, cert, "pebble")

     

       
185
       
 
       
          hash_after = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem | tee /dev/stderr")

     

       
186
       
 
       
          assert hash != hash_after, "Certificate was not renewed"

     

       
187
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
188
       
 
       
      with subtest("Handles email change correctly"):

     

       
189
       
 
       
          hash = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
190
       
 
       
          switch_to(builtin, "accountchange")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
191
       
 
       
          check_issuer(builtin, cert, "pebble")

     

       
192
       
 
       
          # Check that there are now 2 account directories

     

       
193
       
 
       
          builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")

     
···

       
202
       
 
       
          # old_hash will be used in the preservation tests later

     

       
203
       
 
       
          old_hash = hash_after

     

       
204
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
205
       
 
       
      with subtest("Correctly implements OCSP stapling"):

     

       
206
       
 
       
          check_stapling(builtin, cert, "${caDomain}", fail=True)

     

       
0
       
 
       

     

       
0
       
 
       

     

       
207
       
 
       
          switch_to(builtin, "ocsp_stapling")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
208
       
 
       
          check_stapling(builtin, cert, "${caDomain}")

     

       
0
       
 
       

     

       
209
       
 
       


     

       
210
       
 
       
      with subtest("Handles keyType change correctly"):

     

       
211
       
 
       
          check_key_bits(builtin, cert, 256)

     

       
0
       
 
       

     

       
0
       
 
       

     

       
212
       
 
       
          switch_to(builtin, "keytype")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
213
       
 
       
          check_key_bits(builtin, cert, 384)

     

       
214
       
 
       
          # keyType is part of the accountHash, thus a new account will be created

     

       
215
       
 
       
          builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")

     

       
0
       
 
       

     

       
216
       
 
       


     

       
217
       
 
       
      with subtest("Reuses generated, valid certs from previous configurations"):

     

       
218
       
 
       
          # Right now, the hash should not match due to the previous test

     

       
219
       
 
       
          hash = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem | tee /dev/stderr")

     

       
220
       
 
       
          assert hash != old_hash, "Expected certificate to differ"

     

       
0
       
 
       

     

       
0
       
 
       

     

       
221
       
 
       
          switch_to(builtin, "preservation")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
222
       
 
       
          hash = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem | tee /dev/stderr")

     

       
223
       
 
       
          assert hash == old_hash, "Expected certificate to match from older configuration"

     

       
0
       
 
       

     

       
224
       
 
       


     

       
225
       
 
       
      with subtest("Add a new cert, extend existing cert domains"):

     

       
226
       
 
       
          check_domain(builtin, cert, f"builtin-alt.{domain}", fail=True)

     

       
0
       
 
       

     

       
0
       
 
       

     

       
227
       
 
       
          switch_to(builtin, "add_cert_and_domain")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
228
       
 
       
          check_issuer(builtin, cert, "pebble")

     

       
229
       
 
       
          check_domain(builtin, cert, f"builtin-alt.{domain}")

     

       
230
       
 
       
          check_issuer(builtin, cert2, "pebble")

     

       
231
       
 
       
          check_domain(builtin, cert2, cert2)

     

       
232
       
 
       
          # There should not be a new account folder created

     

       
233
       
 
       
          builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
234
       
 
       


     

       
235
       
 
       
      with subtest("Check account hashing compatibility with pre-24.05 settings"):

     

       
236
       
-
       
          switch_to(builtin, "legacy_account_hash", fail=True)

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
237
       
 
       
          builtin.succeed(f"stat {legacy_account_dir} > /dev/stderr && rm -rf {legacy_account_dir}")

     

       
0
       
 
       

     

       
238
       
 
       


     

       
239
       
-
       
      with subtest("Ensure Concurrency limits work"):

     

       
0
       
 
       

     

       
240
       
 
       
          switch_to(builtin, "concurrency")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
241
       
 
       
          check_issuer(builtin, cert3, "pebble")

     

       
242
       
 
       
          check_domain(builtin, cert3, cert3)

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
243
       
 
       


     

       
244
       
 
       
      with subtest("Generate self-signed certs"):

     

       
0
       
 
       

     

       
0
       
 
       

     

       
245
       
 
       
          check_issuer(builtin, cert, "pebble")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
246
       
 
       
          builtin.succeed(f"systemctl clean acme-{cert}.service --what=state")

     

       
247
       
-
       
          builtin.succeed(f"systemctl start acme-selfsigned-{cert}.service")

     

       
0
       
 
       

     

       
248
       
 
       
          check_issuer(builtin, cert, "minica")

     

       
249
       
 
       
          check_domain(builtin, cert, cert)

     

       
250
       
 
       


     

       
251
       
 
       
      with subtest("Validate permissions (self-signed)"):

     

       
252
       
 
       
          check_permissions(builtin, cert, "acme")

     

       
253
       
 
       


     

       
254
       
-
       
      with subtest("Can renew using a CSR"):

     

       
255
       
-
       
          builtin.succeed(f"systemctl clean acme-{cert}.service --what=state")

     

       
256
       
-
       
          switch_to(builtin, "csr")

     

       
257
       
-
       
          check_issuer(builtin, cert, "pebble")

     

       
258
       
 
       
    '';

     

       
259
       
 
       
}

     

···

       
37
       
 
       
          listenHTTP = ":80";

     

       
38
       
 
       
        };

     

       
39
       
 
       


     

       
40
       
+
       
        systemd.targets."renew-triggered" = {

     

       
41
       
+
       
          wantedBy = [ "acme-order-renew-${config.networking.fqdn}.service" ];

     

       
42
       
+
       
          after = [ "acme-order-renew-${config.networking.fqdn}.service" ];

     

       
43
       
+
       
          unitConfig.RefuseManualStart = true;

     

       
44
       
+
       
        };

     

       
45
       
+
       


     

       
46
       
 
       
        specialisation = {

     

       
47
       
 
       
          renew.configuration = {

     

       
48
       
 
       
            # Pebble provides 5 year long certs,

     
···

       
183
       
 
       
          # old_hash will be used in the preservation tests later

     

       
184
       
 
       
          old_hash = hash

     

       
185
       
 
       
          builtin.succeed(f"systemctl start acme-{cert}.service")

     

       
186
       
+
       
          builtin.succeed(f"systemctl start acme-order-renew-{cert}.service")

     

       
187
       
+
       
          builtin.wait_for_unit("renew-triggered.target")

     

       
188
       
+
       


     

       
189
       
 
       
          hash_after = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem")

     

       
190
       
 
       
          assert hash == hash_after, "Certificate was unexpectedly changed"

     

       
191
       
 
       


     

       
192
       
+
       
          builtin.succeed("systemctl stop renew-triggered.target")

     

       
193
       
 
       
          switch_to(builtin, "renew")

     

       
194
       
+
       
          builtin.wait_for_unit("renew-triggered.target")

     

       
195
       
+
       


     

       
196
       
 
       
          check_issuer(builtin, cert, "pebble")

     

       
197
       
 
       
          hash_after = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem | tee /dev/stderr")

     

       
198
       
 
       
          assert hash != hash_after, "Certificate was not renewed"

     

       
199
       
 
       


     

       
200
       
+
       
          check_permissions(builtin, cert, "acme")

     

       
201
       
+
       


     

       
202
       
 
       
      with subtest("Handles email change correctly"):

     

       
203
       
 
       
          hash = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem")

     

       
204
       
+
       


     

       
205
       
+
       
          builtin.succeed("systemctl stop renew-triggered.target")

     

       
206
       
 
       
          switch_to(builtin, "accountchange")

     

       
207
       
+
       
          builtin.wait_for_unit("renew-triggered.target")

     

       
208
       
+
       


     

       
209
       
 
       
          check_issuer(builtin, cert, "pebble")

     

       
210
       
 
       
          # Check that there are now 2 account directories

     

       
211
       
 
       
          builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")

     
···

       
220
       
 
       
          # old_hash will be used in the preservation tests later

     

       
221
       
 
       
          old_hash = hash_after

     

       
222
       
 
       


     

       
223
       
+
       
          check_permissions(builtin, cert, "acme")

     

       
224
       
+
       


     

       
225
       
 
       
      with subtest("Correctly implements OCSP stapling"):

     

       
226
       
 
       
          check_stapling(builtin, cert, "${caDomain}", fail=True)

     

       
227
       
+
       


     

       
228
       
+
       
          builtin.succeed("systemctl stop renew-triggered.target")

     

       
229
       
 
       
          switch_to(builtin, "ocsp_stapling")

     

       
230
       
+
       
          builtin.wait_for_unit("renew-triggered.target")

     

       
231
       
+
       


     

       
232
       
 
       
          check_stapling(builtin, cert, "${caDomain}")

     

       
233
       
+
       
          check_permissions(builtin, cert, "acme")

     

       
234
       
 
       


     

       
235
       
 
       
      with subtest("Handles keyType change correctly"):

     

       
236
       
 
       
          check_key_bits(builtin, cert, 256)

     

       
237
       
+
       


     

       
238
       
+
       
          builtin.succeed("systemctl stop renew-triggered.target")

     

       
239
       
 
       
          switch_to(builtin, "keytype")

     

       
240
       
+
       
          builtin.wait_for_unit("renew-triggered.target")

     

       
241
       
+
       


     

       
242
       
 
       
          check_key_bits(builtin, cert, 384)

     

       
243
       
 
       
          # keyType is part of the accountHash, thus a new account will be created

     

       
244
       
 
       
          builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")

     

       
245
       
+
       
          check_permissions(builtin, cert, "acme")

     

       
246
       
 
       


     

       
247
       
 
       
      with subtest("Reuses generated, valid certs from previous configurations"):

     

       
248
       
 
       
          # Right now, the hash should not match due to the previous test

     

       
249
       
 
       
          hash = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem | tee /dev/stderr")

     

       
250
       
 
       
          assert hash != old_hash, "Expected certificate to differ"

     

       
251
       
+
       


     

       
252
       
+
       
          builtin.succeed("systemctl stop renew-triggered.target")

     

       
253
       
 
       
          switch_to(builtin, "preservation")

     

       
254
       
+
       
          builtin.wait_for_unit("renew-triggered.target")

     

       
255
       
+
       


     

       
256
       
 
       
          hash = builtin.succeed(f"sha256sum /var/lib/acme/{cert}/cert.pem | tee /dev/stderr")

     

       
257
       
 
       
          assert hash == old_hash, "Expected certificate to match from older configuration"

     

       
258
       
+
       
          check_permissions(builtin, cert, "acme")

     

       
259
       
 
       


     

       
260
       
 
       
      with subtest("Add a new cert, extend existing cert domains"):

     

       
261
       
 
       
          check_domain(builtin, cert, f"builtin-alt.{domain}", fail=True)

     

       
262
       
+
       


     

       
263
       
+
       
          builtin.succeed("systemctl stop renew-triggered.target")

     

       
264
       
 
       
          switch_to(builtin, "add_cert_and_domain")

     

       
265
       
+
       
          builtin.wait_for_unit("renew-triggered.target")

     

       
266
       
+
       


     

       
267
       
 
       
          check_issuer(builtin, cert, "pebble")

     

       
268
       
 
       
          check_domain(builtin, cert, f"builtin-alt.{domain}")

     

       
269
       
 
       
          check_issuer(builtin, cert2, "pebble")

     

       
270
       
 
       
          check_domain(builtin, cert2, cert2)

     

       
271
       
 
       
          # There should not be a new account folder created

     

       
272
       
 
       
          builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")

     

       
273
       
+
       
          check_permissions(builtin, cert, "acme")

     

       
274
       
+
       
          check_permissions(builtin, cert2, "acme")

     

       
275
       
 
       


     

       
276
       
 
       
      with subtest("Check account hashing compatibility with pre-24.05 settings"):

     

       
277
       
+
       
          builtin.succeed("systemctl stop renew-triggered.target")

     

       
278
       
+
       
          switch_to(builtin, "legacy_account_hash"

     

       
279
       
+
       
          )

     

       
280
       
+
       
          builtin.wait_for_unit("renew-triggered.target")

     

       
281
       
+
       


     

       
282
       
 
       
          builtin.succeed(f"stat {legacy_account_dir} > /dev/stderr && rm -rf {legacy_account_dir}")

     

       
283
       
+
       
          check_permissions(builtin, cert, "acme")

     

       
284
       
 
       


     

       
285
       
+
       
      with subtest("Ensure concurrency limits work"):

     

       
286
       
+
       
          builtin.succeed("systemctl stop renew-triggered.target")

     

       
287
       
 
       
          switch_to(builtin, "concurrency")

     

       
288
       
+
       
          builtin.wait_for_unit("renew-triggered.target")

     

       
289
       
+
       


     

       
290
       
 
       
          check_issuer(builtin, cert3, "pebble")

     

       
291
       
 
       
          check_domain(builtin, cert3, cert3)

     

       
292
       
+
       
          check_permissions(builtin, cert, "acme")

     

       
293
       
+
       


     

       
294
       
+
       
      with subtest("Can renew using a CSR"):

     

       
295
       
+
       
          builtin.succeed(f"systemctl stop acme-{cert}.service")

     

       
296
       
+
       
          builtin.succeed(f"systemctl clean acme-{cert}.service --what=state")

     

       
297
       
+
       


     

       
298
       
+
       
          builtin.succeed("systemctl stop renew-triggered.target")

     

       
299
       
+
       
          switch_to(builtin, "csr")

     

       
300
       
+
       
          builtin.wait_for_unit("renew-triggered.target")

     

       
301
       
+
       


     

       
302
       
+
       
          check_issuer(builtin, cert, "pebble")

     

       
303
       
 
       


     

       
304
       
 
       
      with subtest("Generate self-signed certs"):

     

       
305
       
+
       
          acme.shutdown()

     

       
306
       
+
       


     

       
307
       
 
       
          check_issuer(builtin, cert, "pebble")

     

       
308
       
+
       


     

       
309
       
+
       
          builtin.succeed(f"systemctl stop acme-{cert}.service")

     

       
310
       
 
       
          builtin.succeed(f"systemctl clean acme-{cert}.service --what=state")

     

       
311
       
+
       
          builtin.succeed(f"systemctl start acme-{cert}.service")

     

       
312
       
+
       


     

       
313
       
 
       
          check_issuer(builtin, cert, "minica")

     

       
314
       
 
       
          check_domain(builtin, cert, cert)

     

       
315
       
 
       


     

       
316
       
 
       
      with subtest("Validate permissions (self-signed)"):

     

       
317
       
 
       
          check_permissions(builtin, cert, "acme")

     

       
318
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
319
       
 
       
    '';

     

       
320
       
 
       
}