commit 377c6bcefce8e8ccd471892a1b24621d5a909457 · pyrox.dev/nixpkgs

+123 -105

nixos/modules/security/acme.nix

···

       128
        
         };

     

       129
        
       

     

       130
        
         certToConfig = cert: data: let

     

       131
       -
           acmeServer = if data.server != null then data.server else cfg.server;

     

       132
        
           useDns = data.dnsProvider != null;

     

       133
        
           destPath = "/var/lib/acme/${cert}";

     

       134
        
           selfsignedDeps = optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];

     
···

       211
        
             description = "Renew ACME Certificate for ${cert}";

     

       212
        
             wantedBy = [ "timers.target" ];

     

       213
        
             timerConfig = {

     

       214
       -
               OnCalendar = cfg.renewInterval;

     

       215
        
               Unit = "acme-${cert}.service";

     

       216
        
               Persistent = "yes";

     

       217
        
       

     
···

       356
        
                 expiration_s=$[expiration_date - now]

     

       357
        
                 expiration_days=$[expiration_s / (3600 * 24)]   # rounds down

     

       358
        
       

     

       359
       -
                 [[ $expiration_days -gt ${toString cfg.validMinDays} ]]

     

       360
        
               }

     

       361
        
       

     

       362
        
               ${optionalString (data.webroot != null) ''

     
···

       380
        
                 # Even if a cert is not expired, it may be revoked by the CA.

     

       381
        
                 # Try to renew, and silently fail if the cert is not expired.

     

       382
        
                 # Avoids #85794 and resolves #129838

     

       383
       -
                 if ! lego ${renewOpts} --days ${toString cfg.validMinDays}; then

     

       384
        
                   if is_expiration_skippable out/full.pem; then

     

       385
       -
                     echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString cfg.validMinDays} days"

     

       386
        
                   else

     

       387
       -
                     exit 3

     

       0
        
       
     

       388
        
                   fi

     

       389
        
                 fi

     

       390
        
       

     
···

       394
        
                 echo Failed to fetch certificates. \

     

       395
        
                   This may mean your DNS records are set up incorrectly. \

     

       396
        
                   ${optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}

     

       397
       -
                 # Exit 2 so that users can potentially amend SuccessExitStatus to ignore this error.

     

       398
       -
                 exit 2

     

       0
        
       
     

       399
        
               fi

     

       400
        
       

     

       401
        
               mv domainhash.txt certificates/

     
···

       423
        
       

     

       424
        
         certConfigs = mapAttrs certToConfig cfg.certs;

     

       425
        
       

     

       426
       -
         certOpts = { name, ... }: {

     

       427
       -
           options = {

     

       428
       -
             # user option has been removed

     

       429
       -
             user = mkOption {

     

       430
       -
               visible = false;

     

       431
       -
               default = "_mkRemovedOptionModule";

     

       0
        
       
     

       0
        
       
     

       432
        
             };

     

       433
        
       

     

       434
       -
             # allowKeysForGroup option has been removed

     

       435
       -
             allowKeysForGroup = mkOption {

     

       436
       -
               visible = false;

     

       437
       -
               default = "_mkRemovedOptionModule";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       438
        
             };

     

       439
        
       

     

       440
       -
             # extraDomains was replaced with extraDomainNames

     

       441
       -
             extraDomains = mkOption {

     

       442
       -
               visible = false;

     

       443
       -
               default = "_mkMergedOptionModule";

     

       444
        
             };

     

       445
        
       

     

       446
       -
             enableDebugLogs = mkEnableOption "debug logging for this certificate" // { default = cfg.enableDebugLogs; };

     

       447
       -
       

     

       448
        
             webroot = mkOption {

     

       449
        
               type = types.nullOr types.str;

     

       450
       -
               default = null;

     

       451
        
               example = "/var/lib/acme/acme-challenge";

     

       452
        
               description = ''

     

       453
        
                 Where the webroot of the HTTP vhost is located.

     
···

       458
        
               '';

     

       459
        
             };

     

       460
        
       

     

       461
       -
             listenHTTP = mkOption {

     

       462
       -
               type = types.nullOr types.str;

     

       463
       -
               default = null;

     

       464
       -
               example = ":1360";

     

       465
       -
               description = ''

     

       466
       -
                 Interface and port to listen on to solve HTTP challenges

     

       467
       -
                 in the form [INTERFACE]:PORT.

     

       468
       -
                 If you use a port other than 80, you must proxy port 80 to this port.

     

       469
       -
               '';

     

       470
       -
             };

     

       471
       -
       

     

       472
        
             server = mkOption {

     

       473
        
               type = types.nullOr types.str;

     

       474
       -
               default = null;

     

       475
        
               description = ''

     

       476
        
                 ACME Directory Resource URI. Defaults to Let's Encrypt's

     

       477
        
                 production endpoint,

     
···

       479
        
               '';

     

       480
        
             };

     

       481
        
       

     

       482
       -
             domain = mkOption {

     

       483
        
               type = types.str;

     

       484
       -
               default = name;

     

       485
       -
               description = "Domain to fetch certificate for (defaults to the entry name).";

     

       486
       -
             };

     

       487
       -
       

     

       488
       -
             email = mkOption {

     

       489
       -
               type = types.nullOr types.str;

     

       490
       -
               default = cfg.email;

     

       491
       -
               defaultText = literalExpression "config.${opt.email}";

     

       492
       -
               description = "Contact email address for the CA to be able to reach you.";

     

       493
        
             };

     

       494
        
       

     

       495
        
             group = mkOption {

     

       496
        
               type = types.str;

     

       497
       -
               default = "acme";

     

       498
        
               description = "Group running the ACME client.";

     

       499
        
             };

     

       500
        
       

     

       501
        
             reloadServices = mkOption {

     

       502
        
               type = types.listOf types.str;

     

       503
       -
               default = [];

     

       504
        
               description = ''

     

       505
        
                 The list of systemd services to call <code>systemctl try-reload-or-restart</code>

     

       506
        
                 on.

     
···

       509
        
       

     

       510
        
             postRun = mkOption {

     

       511
        
               type = types.lines;

     

       512
       -
               default = "";

     

       513
        
               example = "cp full.pem backup.pem";

     

       514
        
               description = ''

     

       515
        
                 Commands to run after new certificates go live. Note that

     
···

       519
        
               '';

     

       520
        
             };

     

       521
        
       

     

       522
       -
             directory = mkOption {

     

       523
       -
               type = types.str;

     

       524
       -
               readOnly = true;

     

       525
       -
               default = "/var/lib/acme/${name}";

     

       526
       -
               description = "Directory where certificate and other state is stored.";

     

       527
       -
             };

     

       528
       -
       

     

       529
       -
             extraDomainNames = mkOption {

     

       530
       -
               type = types.listOf types.str;

     

       531
       -
               default = [];

     

       532
       -
               example = literalExpression ''

     

       533
       -
                 [

     

       534
       -
                   "example.org"

     

       535
       -
                   "mydomain.org"

     

       536
       -
                 ]

     

       537
       -
               '';

     

       538
       -
               description = ''

     

       539
       -
                 A list of extra domain names, which are included in the one certificate to be issued.

     

       540
       -
               '';

     

       541
       -
             };

     

       542
       -
       

     

       543
        
             keyType = mkOption {

     

       544
        
               type = types.str;

     

       545
       -
               default = "ec256";

     

       546
        
               description = ''

     

       547
        
                 Key type to use for private keys.

     

       548
        
                 For an up to date list of supported values check the --key-type option

     
···

       552
        
       

     

       553
        
             dnsProvider = mkOption {

     

       554
        
               type = types.nullOr types.str;

     

       555
       -
               default = null;

     

       556
        
               example = "route53";

     

       557
        
               description = ''

     

       558
        
                 DNS Challenge provider. For a list of supported providers, see the "code"

     
···

       562
        
       

     

       563
        
             dnsResolver = mkOption {

     

       564
        
               type = types.nullOr types.str;

     

       565
       -
               default = null;

     

       566
        
               example = "1.1.1.1:53";

     

       567
        
               description = ''

     

       568
        
                 Set the resolver to use for performing recursive DNS queries. Supported:

     
···

       573
        
       

     

       574
        
             credentialsFile = mkOption {

     

       575
        
               type = types.path;

     

       0
        
       
     

       576
        
               description = ''

     

       577
        
                 Path to an EnvironmentFile for the cert's service containing any required and

     

       578
        
                 optional environment variables for your selected dnsProvider.

     
···

       584
        
       

     

       585
        
             dnsPropagationCheck = mkOption {

     

       586
        
               type = types.bool;

     

       587
       -
               default = true;

     

       588
        
               description = ''

     

       589
        
                 Toggles lego DNS propagation check, which is used alongside DNS-01

     

       590
        
                 challenge to ensure the DNS entries required are available.

     
···

       593
        
       

     

       594
        
             ocspMustStaple = mkOption {

     

       595
        
               type = types.bool;

     

       596
       -
               default = false;

     

       597
        
               description = ''

     

       598
        
                 Turns on the OCSP Must-Staple TLS extension.

     

       599
        
                 Make sure you know what you're doing! See:

     
···

       606
        
       

     

       607
        
             extraLegoFlags = mkOption {

     

       608
        
               type = types.listOf types.str;

     

       609
       -
               default = [];

     

       610
        
               description = ''

     

       611
        
                 Additional global flags to pass to all lego commands.

     

       612
        
               '';

     
···

       614
        
       

     

       615
        
             extraLegoRenewFlags = mkOption {

     

       616
        
               type = types.listOf types.str;

     

       617
       -
               default = [];

     

       618
        
               description = ''

     

       619
        
                 Additional flags to pass to lego renew.

     

       620
        
               '';

     
···

       622
        
       

     

       623
        
             extraLegoRunFlags = mkOption {

     

       624
        
               type = types.listOf types.str;

     

       625
       -
               default = [];

     

       626
        
               description = ''

     

       627
        
                 Additional flags to pass to lego run.

     

       628
        
               '';

     

       629
        
             };

     

       630
        
           };

     

       631
       -
         };

     

       632
        
       

     

       633
       -
       in {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       634
        
       

     

       635
       -
         options = {

     

       636
       -
           security.acme = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       637
        
       

     

       638
       -
             enableDebugLogs = mkEnableOption "debug logging for all certificates by default" // { default = true; };

     

       639
       -
       

     

       640
       -
             validMinDays = mkOption {

     

       641
       -
               type = types.int;

     

       642
       -
               default = 30;

     

       643
       -
               description = "Minimum remaining validity before renewal in days.";

     

       644
        
             };

     

       645
        
       

     

       646
       -
             email = mkOption {

     

       647
       -
               type = types.nullOr types.str;

     

       648
       -
               default = null;

     

       649
       -
               description = "Contact email address for the CA to be able to reach you.";

     

       0
        
       
     

       650
        
             };

     

       651
        
       

     

       652
       -
             renewInterval = mkOption {

     

       653
        
               type = types.str;

     

       654
       -
               default = "daily";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       655
        
               description = ''

     

       656
       -
                 Systemd calendar expression when to check for renewal. See

     

       657
       -
                 <citerefentry><refentrytitle>systemd.time</refentrytitle>

     

       658
       -
                 <manvolnum>7</manvolnum></citerefentry>.

     

       659
        
               '';

     

       660
        
             };

     

       661
        
       

     

       662
       -
             server = mkOption {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       663
        
               type = types.nullOr types.str;

     

       664
        
               default = null;

     

       0
        
       
     

       665
        
               description = ''

     

       666
       -
                 ACME Directory Resource URI. Defaults to Let's Encrypt's

     

       667
       -
                 production endpoint,

     

       668
       -
                 <link xlink:href="https://acme-v02.api.letsencrypt.org/directory"/>, if unset.

     

       669
        
               '';

     

       670
        
             };

     

       671
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       672
        
             preliminarySelfsigned = mkOption {

     

       673
        
               type = types.bool;

     

       674
        
               default = true;

     
···

       691
        
               '';

     

       692
        
             };

     

       693
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       694
        
             certs = mkOption {

     

       695
        
               default = { };

     

       696
        
               type = with types; attrsOf (submodule certOpts);

     
···

       724
        
       

     

       725
        
             To use the let's encrypt staging server, use security.acme.server =

     

       726
        
             "https://acme-staging-v02.api.letsencrypt.org/directory".

     

       727
       -
           ''

     

       728
       -
           )

     

       729
        
           (mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")

     

       730
        
           (mkRemovedOptionModule [ "security" "acme" "preDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")

     

       731
        
           (mkRemovedOptionModule [ "security" "acme" "activationDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")

     

       732
       -
           (mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       733
        
         ];

     

       734
        
       

     

       735
        
         config = mkMerge [

···

       128
        
         };

     

       129
        
       

     

       130
        
         certToConfig = cert: data: let

     

       131
       +
           acmeServer = data.server;

     

       132
        
           useDns = data.dnsProvider != null;

     

       133
        
           destPath = "/var/lib/acme/${cert}";

     

       134
        
           selfsignedDeps = optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];

     
···

       211
        
             description = "Renew ACME Certificate for ${cert}";

     

       212
        
             wantedBy = [ "timers.target" ];

     

       213
        
             timerConfig = {

     

       214
       +
               OnCalendar = data.renewInterval;

     

       215
        
               Unit = "acme-${cert}.service";

     

       216
        
               Persistent = "yes";

     

       217
        
       

     
···

       356
        
                 expiration_s=$[expiration_date - now]

     

       357
        
                 expiration_days=$[expiration_s / (3600 * 24)]   # rounds down

     

       358
        
       

     

       359
       +
                 [[ $expiration_days -gt ${toString data.validMinDays} ]]

     

       360
        
               }

     

       361
        
       

     

       362
        
               ${optionalString (data.webroot != null) ''

     
···

       380
        
                 # Even if a cert is not expired, it may be revoked by the CA.

     

       381
        
                 # Try to renew, and silently fail if the cert is not expired.

     

       382
        
                 # Avoids #85794 and resolves #129838

     

       383
       +
                 if ! lego ${renewOpts} --days ${toString data.validMinDays}; then

     

       384
        
                   if is_expiration_skippable out/full.pem; then

     

       385
       +
                     echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"

     

       386
        
                   else

     

       387
       +
                     # High number to avoid Systemd reserved codes.

     

       388
       +
                     exit 11

     

       389
        
                   fi

     

       390
        
                 fi

     

       391
        
       

     
···

       395
        
                 echo Failed to fetch certificates. \

     

       396
        
                   This may mean your DNS records are set up incorrectly. \

     

       397
        
                   ${optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}

     

       398
       +
                 # Exit 10 so that users can potentially amend SuccessExitStatus to ignore this error.

     

       399
       +
                 # High number to avoid Systemd reserved codes.

     

       400
       +
                 exit 10

     

       401
        
               fi

     

       402
        
       

     

       403
        
               mv domainhash.txt certificates/

     
···

       425
        
       

     

       426
        
         certConfigs = mapAttrs certToConfig cfg.certs;

     

       427
        
       

     

       428
       +
         # These options can be specified within

     

       429
       +
         # security.acme or security.acme.certs.<name>

     

       430
       +
         inheritableOpts =

     

       431
       +
           { inheritDefaults ? false, defaults ? null }: {

     

       432
       +
             validMinDays = mkOption {

     

       433
       +
               type = types.int;

     

       434
       +
               default = if inheritDefaults then defaults.validMinDays else 30;

     

       435
       +
               description = "Minimum remaining validity before renewal in days.";

     

       436
        
             };

     

       437
        
       

     

       438
       +
             renewInterval = mkOption {

     

       439
       +
               type = types.str;

     

       440
       +
               default = if inheritDefaults then defaults.renewInterval else "daily";

     

       441
       +
               description = ''

     

       442
       +
                 Systemd calendar expression when to check for renewal. See

     

       443
       +
                 <citerefentry><refentrytitle>systemd.time</refentrytitle>

     

       444
       +
                 <manvolnum>7</manvolnum></citerefentry>.

     

       445
       +
               '';

     

       446
        
             };

     

       447
        
       

     

       448
       +
             enableDebugLogs = mkEnableOption "debug logging for this certificate" // {

     

       449
       +
               default = if inheritDefaults then defaults.enableDebugLogs else true;

     

       0
        
       
     

       0
        
       
     

       450
        
             };

     

       451
        
       

     

       0
        
       
     

       0
        
       
     

       452
        
             webroot = mkOption {

     

       453
        
               type = types.nullOr types.str;

     

       454
       +
               default = if inheritDefaults then defaults.webroot else null;

     

       455
        
               example = "/var/lib/acme/acme-challenge";

     

       456
        
               description = ''

     

       457
        
                 Where the webroot of the HTTP vhost is located.

     
···

       462
        
               '';

     

       463
        
             };

     

       464
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       465
        
             server = mkOption {

     

       466
        
               type = types.nullOr types.str;

     

       467
       +
               default = if inheritDefaults then defaults.server else null;

     

       468
        
               description = ''

     

       469
        
                 ACME Directory Resource URI. Defaults to Let's Encrypt's

     

       470
        
                 production endpoint,

     
···

       472
        
               '';

     

       473
        
             };

     

       474
        
       

     

       475
       +
             email = mkOption {

     

       476
        
               type = types.str;

     

       477
       +
               default = if inheritDefaults then defaults.email else null;

     

       478
       +
               description = ''

     

       479
       +
                 Email address for account creation and correspondence from the CA.

     

       480
       +
                 It is recommended to use the same email for all certs to avoid account

     

       481
       +
                 creation limits.

     

       482
       +
               '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       483
        
             };

     

       484
        
       

     

       485
        
             group = mkOption {

     

       486
        
               type = types.str;

     

       487
       +
               default = if inheritDefaults then defaults.group else "acme";

     

       488
        
               description = "Group running the ACME client.";

     

       489
        
             };

     

       490
        
       

     

       491
        
             reloadServices = mkOption {

     

       492
        
               type = types.listOf types.str;

     

       493
       +
               default = if inheritDefaults then defaults.reloadServices else [];

     

       494
        
               description = ''

     

       495
        
                 The list of systemd services to call <code>systemctl try-reload-or-restart</code>

     

       496
        
                 on.

     
···

       499
        
       

     

       500
        
             postRun = mkOption {

     

       501
        
               type = types.lines;

     

       502
       +
               default = if inheritDefaults then defaults.postRun else "";

     

       503
        
               example = "cp full.pem backup.pem";

     

       504
        
               description = ''

     

       505
        
                 Commands to run after new certificates go live. Note that

     
···

       509
        
               '';

     

       510
        
             };

     

       511
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       512
        
             keyType = mkOption {

     

       513
        
               type = types.str;

     

       514
       +
               default = if inheritDefaults then defaults.keyType else "ec256";

     

       515
        
               description = ''

     

       516
        
                 Key type to use for private keys.

     

       517
        
                 For an up to date list of supported values check the --key-type option

     
···

       521
        
       

     

       522
        
             dnsProvider = mkOption {

     

       523
        
               type = types.nullOr types.str;

     

       524
       +
               default = if inheritDefaults then defaults.dnsProvider else null;

     

       525
        
               example = "route53";

     

       526
        
               description = ''

     

       527
        
                 DNS Challenge provider. For a list of supported providers, see the "code"

     
···

       531
        
       

     

       532
        
             dnsResolver = mkOption {

     

       533
        
               type = types.nullOr types.str;

     

       534
       +
               default = if inheritDefaults then defaults.dnsResolver else null;

     

       535
        
               example = "1.1.1.1:53";

     

       536
        
               description = ''

     

       537
        
                 Set the resolver to use for performing recursive DNS queries. Supported:

     
···

       542
        
       

     

       543
        
             credentialsFile = mkOption {

     

       544
        
               type = types.path;

     

       545
       +
               default = if inheritDefaults then defaults.credentialsFile else null;

     

       546
        
               description = ''

     

       547
        
                 Path to an EnvironmentFile for the cert's service containing any required and

     

       548
        
                 optional environment variables for your selected dnsProvider.

     
···

       554
        
       

     

       555
        
             dnsPropagationCheck = mkOption {

     

       556
        
               type = types.bool;

     

       557
       +
               default = if inheritDefaults then defaults.dnsPropagationCheck else true;

     

       558
        
               description = ''

     

       559
        
                 Toggles lego DNS propagation check, which is used alongside DNS-01

     

       560
        
                 challenge to ensure the DNS entries required are available.

     
···

       563
        
       

     

       564
        
             ocspMustStaple = mkOption {

     

       565
        
               type = types.bool;

     

       566
       +
               default = if inheritDefaults then defaults.ocspMustStaple else false;

     

       567
        
               description = ''

     

       568
        
                 Turns on the OCSP Must-Staple TLS extension.

     

       569
        
                 Make sure you know what you're doing! See:

     
···

       576
        
       

     

       577
        
             extraLegoFlags = mkOption {

     

       578
        
               type = types.listOf types.str;

     

       579
       +
               default = if inheritDefaults then defaults.extraLegoFlags else [];

     

       580
        
               description = ''

     

       581
        
                 Additional global flags to pass to all lego commands.

     

       582
        
               '';

     
···

       584
        
       

     

       585
        
             extraLegoRenewFlags = mkOption {

     

       586
        
               type = types.listOf types.str;

     

       587
       +
               default = if inheritDefaults then defaults.extraLegoRenewFlags else [];

     

       588
        
               description = ''

     

       589
        
                 Additional flags to pass to lego renew.

     

       590
        
               '';

     
···

       592
        
       

     

       593
        
             extraLegoRunFlags = mkOption {

     

       594
        
               type = types.listOf types.str;

     

       595
       +
               default = if inheritDefaults then defaults.extraLegoRunFlags else [];

     

       596
        
               description = ''

     

       597
        
                 Additional flags to pass to lego run.

     

       598
        
               '';

     

       599
        
             };

     

       600
        
           };

     

       0
        
       
     

       601
        
       

     

       602
       +
         certOpts = { name, ... }: {

     

       603
       +
           options = (inheritableOpts { inherit (cfg) defaults; inheritDefaults = cfg.certs."${name}".inheritDefaults; }) // {

     

       604
       +
             # user option has been removed

     

       605
       +
             user = mkOption {

     

       606
       +
               visible = false;

     

       607
       +
               default = "_mkRemovedOptionModule";

     

       608
       +
             };

     

       609
        
       

     

       610
       +
             # allowKeysForGroup option has been removed

     

       611
       +
             allowKeysForGroup = mkOption {

     

       612
       +
               visible = false;

     

       613
       +
               default = "_mkRemovedOptionModule";

     

       614
       +
             };

     

       615
        
       

     

       616
       +
             # extraDomains was replaced with extraDomainNames

     

       617
       +
             extraDomains = mkOption {

     

       618
       +
               visible = false;

     

       619
       +
               default = "_mkMergedOptionModule";

     

       0
        
       
     

       0
        
       
     

       620
        
             };

     

       621
        
       

     

       622
       +
             directory = mkOption {

     

       623
       +
               type = types.str;

     

       624
       +
               readOnly = true;

     

       625
       +
               default = "/var/lib/acme/${name}";

     

       626
       +
               description = "Directory where certificate and other state is stored.";

     

       627
        
             };

     

       628
        
       

     

       629
       +
             domain = mkOption {

     

       630
        
               type = types.str;

     

       631
       +
               default = name;

     

       632
       +
               description = "Domain to fetch certificate for (defaults to the entry name).";

     

       633
       +
             };

     

       634
       +
       

     

       635
       +
             extraDomainNames = mkOption {

     

       636
       +
               type = types.listOf types.str;

     

       637
       +
               default = [];

     

       638
       +
               example = literalExpression ''

     

       639
       +
                 [

     

       640
       +
                   "example.org"

     

       641
       +
                   "mydomain.org"

     

       642
       +
                 ]

     

       643
       +
               '';

     

       644
        
               description = ''

     

       645
       +
                 A list of extra domain names, which are included in the one certificate to be issued.

     

       0
        
       
     

       0
        
       
     

       646
        
               '';

     

       647
        
             };

     

       648
        
       

     

       649
       +
             # This setting must be different for each configured certificate, otherwise

     

       650
       +
             # two or more renewals may fail to bind to the address. Hence, it is not in

     

       651
       +
             # the inheritableOpts.

     

       652
       +
             listenHTTP = mkOption {

     

       653
        
               type = types.nullOr types.str;

     

       654
        
               default = null;

     

       655
       +
               example = ":1360";

     

       656
        
               description = ''

     

       657
       +
                 Interface and port to listen on to solve HTTP challenges

     

       658
       +
                 in the form [INTERFACE]:PORT.

     

       659
       +
                 If you use a port other than 80, you must proxy port 80 to this port.

     

       660
        
               '';

     

       661
        
             };

     

       662
        
       

     

       663
       +
             inheritDefaults = mkOption {

     

       664
       +
               default = true;

     

       665
       +
               example = true;

     

       666
       +
               description = "Whether to inherit values set in `security.acme.defaults` or not.";

     

       667
       +
               type = lib.types.bool;

     

       668
       +
             };

     

       669
       +
           };

     

       670
       +
         };

     

       671
       +
       

     

       672
       +
       in {

     

       673
       +
       

     

       674
       +
         options = {

     

       675
       +
           security.acme = {

     

       676
        
             preliminarySelfsigned = mkOption {

     

       677
        
               type = types.bool;

     

       678
        
               default = true;

     
···

       695
        
               '';

     

       696
        
             };

     

       697
        
       

     

       698
       +
             defaults = mkOption {

     

       699
       +
               type = types.submodule ({ ... }: { options = inheritableOpts {}; });

     

       700
       +
               description = ''

     

       701
       +
                 Default values inheritable by all configured certs. You can

     

       702
       +
                 use this to define options shared by all your certs. These defaults

     

       703
       +
                 can also be ignored on a per-cert basis using the

     

       704
       +
                 `security.acme.certs.''${cert}.inheritDefaults' option.

     

       705
       +
               '';

     

       706
       +
             };

     

       707
       +
       

     

       708
        
             certs = mkOption {

     

       709
        
               default = { };

     

       710
        
               type = with types; attrsOf (submodule certOpts);

     
···

       738
        
       

     

       739
        
             To use the let's encrypt staging server, use security.acme.server =

     

       740
        
             "https://acme-staging-v02.api.letsencrypt.org/directory".

     

       741
       +
           '')

     

       0
        
       
     

       742
        
           (mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")

     

       743
        
           (mkRemovedOptionModule [ "security" "acme" "preDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")

     

       744
        
           (mkRemovedOptionModule [ "security" "acme" "activationDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")

     

       745
       +
           (mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))

     

       746
       +
           (mkChangedOptionModule [ "security" "acme" "validMinDays" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMinDays))

     

       747
       +
           (mkChangedOptionModule [ "security" "acme" "renewInterval" ] [ "security" "acme" "defaults" "renewInterval" ] (config: config.security.acme.renewInterval))

     

       748
       +
           (mkChangedOptionModule [ "security" "acme" "email" ] [ "security" "acme" "defaults" "email" ] (config: config.security.acme.email))

     

       749
       +
           (mkChangedOptionModule [ "security" "acme" "server" ] [ "security" "acme" "defaults" "server" ] (config: config.security.acme.server))

     

       750
       +
           (mkChangedOptionModule [ "security" "acme" "enableDebugLogs" ] [ "security" "acme" "defaults" "enableDebugLogs" ] (config: config.security.acme.enableDebugLogs))

     

       751
        
         ];

     

       752
        
       

     

       753
        
         config = mkMerge [

+10 -3

nixos/modules/services/web-servers/apache-httpd/default.nix

···

       154
        
             sslServerKey = if useACME then "${sslCertDir}/key.pem" else hostOpts.sslServerKey;

     

       155
        
             sslServerChain = if useACME then "${sslCertDir}/chain.pem" else hostOpts.sslServerChain;

     

       156
        
       

     

       157
       -
             acmeChallenge = optionalString useACME ''

     

       158
        
               Alias /.well-known/acme-challenge/ "${hostOpts.acmeRoot}/.well-known/acme-challenge/"

     

       159
        
               <Directory "${hostOpts.acmeRoot}">

     

       160
        
                   AllowOverride None

     
···

       677
        
           };

     

       678
        
       

     

       679
        
           security.acme.certs = let

     

       680
       -
             acmePairs = map (hostOpts: nameValuePair hostOpts.hostName {

     

       0
        
       
     

       0
        
       
     

       681
        
               group = mkDefault cfg.group;

     

       682
       -
               webroot = hostOpts.acmeRoot;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       683
        
               extraDomainNames = hostOpts.serverAliases;

     

       684
        
               # Use the vhost-specific email address if provided, otherwise let

     

       685
        
               # security.acme.email or security.acme.certs.<cert>.email be used.

···

       154
        
             sslServerKey = if useACME then "${sslCertDir}/key.pem" else hostOpts.sslServerKey;

     

       155
        
             sslServerChain = if useACME then "${sslCertDir}/chain.pem" else hostOpts.sslServerChain;

     

       156
        
       

     

       157
       +
             acmeChallenge = optionalString (useACME && hostOpts.acmeRoot != null) ''

     

       158
        
               Alias /.well-known/acme-challenge/ "${hostOpts.acmeRoot}/.well-known/acme-challenge/"

     

       159
        
               <Directory "${hostOpts.acmeRoot}">

     

       160
        
                   AllowOverride None

     
···

       677
        
           };

     

       678
        
       

     

       679
        
           security.acme.certs = let

     

       680
       +
             acmePairs = map (hostOpts: let

     

       681
       +
               hasRoot = hostOpts.acmeRoot != null;

     

       682
       +
             in nameValuePair hostOpts.hostName {

     

       683
        
               group = mkDefault cfg.group;

     

       684
       +
               # if acmeRoot is null inherit config.security.acme

     

       685
       +
               # Since config.security.acme.certs.<cert>.webroot's own default value

     

       686
       +
               # should take precedence set priority higher than mkOptionDefault

     

       687
       +
               webroot = mkOverride (if hasRoot then 1000 else 2000) hostOpts.acmeRoot;

     

       688
       +
               # Also nudge dnsProvider to null in case it is inherited

     

       689
       +
               dnsProvider = mkOverride (if hasRoot then 1000 else 2000) null;

     

       690
        
               extraDomainNames = hostOpts.serverAliases;

     

       691
        
               # Use the vhost-specific email address if provided, otherwise let

     

       692
        
               # security.acme.email or security.acme.certs.<cert>.email be used.

+5 -2

nixos/modules/services/web-servers/apache-httpd/vhost-options.nix

···

       128
        
           };

     

       129
        
       

     

       130
        
           acmeRoot = mkOption {

     

       131
       -
             type = types.str;

     

       132
        
             default = "/var/lib/acme/acme-challenge";

     

       133
       -
             description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       134
        
           };

     

       135
        
       

     

       136
        
           sslServerCert = mkOption {

···

       128
        
           };

     

       129
        
       

     

       130
        
           acmeRoot = mkOption {

     

       131
       +
             type = types.nullOr types.str;

     

       132
        
             default = "/var/lib/acme/acme-challenge";

     

       133
       +
             description = ''

     

       134
       +
               Directory for the acme challenge which is PUBLIC, don't put certs or keys in here.

     

       135
       +
               Set to null to inherit from config.security.acme.

     

       136
       +
             '';

     

       137
        
           };

     

       138
        
       

     

       139
        
           sslServerCert = mkOption {

+10 -3

nixos/modules/services/web-servers/nginx/default.nix

···

       278
        
               acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) ''

     

       279
        
                 location /.well-known/acme-challenge {

     

       280
        
                   ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}

     

       281
       -
                   root ${vhost.acmeRoot};

     

       282
        
                   auth_basic off;

     

       283
        
                 }

     

       284
        
                 ${optionalString (vhost.acmeFallbackHost != null) ''

     
···

       948
        
           };

     

       949
        
       

     

       950
        
           security.acme.certs = let

     

       951
       -
             acmePairs = map (vhostConfig: nameValuePair vhostConfig.serverName {

     

       0
        
       
     

       0
        
       
     

       952
        
               group = mkDefault cfg.group;

     

       953
       -
               webroot = vhostConfig.acmeRoot;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       954
        
               extraDomainNames = vhostConfig.serverAliases;

     

       955
        
             # Filter for enableACME-only vhosts. Don't want to create dud certs

     

       956
        
             }) (filter (vhostConfig: vhostConfig.useACMEHost == null) acmeEnabledVhosts);

···

       278
        
               acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) ''

     

       279
        
                 location /.well-known/acme-challenge {

     

       280
        
                   ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}

     

       281
       +
                   ${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"}

     

       282
        
                   auth_basic off;

     

       283
        
                 }

     

       284
        
                 ${optionalString (vhost.acmeFallbackHost != null) ''

     
···

       948
        
           };

     

       949
        
       

     

       950
        
           security.acme.certs = let

     

       951
       +
             acmePairs = map (vhostConfig: let

     

       952
       +
               hasRoot = vhostConfig.acmeRoot != null;

     

       953
       +
             in nameValuePair vhostConfig.serverName {

     

       954
        
               group = mkDefault cfg.group;

     

       955
       +
               # if acmeRoot is null inherit config.security.acme

     

       956
       +
               # Since config.security.acme.certs.<cert>.webroot's own default value

     

       957
       +
               # should take precedence set priority higher than mkOptionDefault

     

       958
       +
               webroot = mkOverride (if hasRoot then 1000 else 2000) vhostConfig.acmeRoot;

     

       959
       +
               # Also nudge dnsProvider to null in case it is inherited

     

       960
       +
               dnsProvider = mkOverride (if hasRoot then 1000 else 2000) null;

     

       961
        
               extraDomainNames = vhostConfig.serverAliases;

     

       962
        
             # Filter for enableACME-only vhosts. Don't want to create dud certs

     

       963
        
             }) (filter (vhostConfig: vhostConfig.useACMEHost == null) acmeEnabledVhosts);

+6 -3

nixos/modules/services/web-servers/nginx/vhost-options.nix

···

       3
        
       # has additional options that affect the web server as a whole, like

     

       4
        
       # the user/group to run under.)

     

       5
        
       

     

       6
       -
       { lib, ... }:

     

       7
        
       

     

       8
        
       with lib;

     

       9
        
       {

     
···

       85
        
           };

     

       86
        
       

     

       87
        
           acmeRoot = mkOption {

     

       88
       -
             type = types.str;

     

       89
        
             default = "/var/lib/acme/acme-challenge";

     

       90
       -
             description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       91
        
           };

     

       92
        
       

     

       93
        
           acmeFallbackHost = mkOption {

···

       3
        
       # has additional options that affect the web server as a whole, like

     

       4
        
       # the user/group to run under.)

     

       5
        
       

     

       6
       +
       { config, lib, ... }:

     

       7
        
       

     

       8
        
       with lib;

     

       9
        
       {

     
···

       85
        
           };

     

       86
        
       

     

       87
        
           acmeRoot = mkOption {

     

       88
       +
             type = types.nullOr types.str;

     

       89
        
             default = "/var/lib/acme/acme-challenge";

     

       90
       +
             description = ''

     

       91
       +
               Directory for the acme challenge which is PUBLIC, don't put certs or keys in here.

     

       92
       +
               Set to null to inherit from config.security.acme.

     

       93
       +
             '';

     

       94
        
           };

     

       95
        
       

     

       96
        
           acmeFallbackHost = mkOption {

+276 -221

nixos/tests/acme.nix

···

       1
       -
       let

     

       2
        
         commonConfig = ./common/acme/client;

     

       3
        
       

     

       4
        
         dnsServerIP = nodes: nodes.dnsserver.config.networking.primaryIPAddress;

     

       5
        
       

     

       6
       -
         dnsScript = {pkgs, nodes}: let

     

       7
        
           dnsAddress = dnsServerIP nodes;

     

       8
        
         in pkgs.writeShellScript "dns-hook.sh" ''

     

       9
        
           set -euo pipefail

     
···

       15
        
           fi

     

       16
        
         '';

     

       17
        
       

     

       18
       -
         documentRoot = pkgs: pkgs.runCommand "docroot" {} ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       19
        
           mkdir -p "$out"

     

       20
        
           echo hello world > "$out/index.html"

     

       21
        
         '';

     

       22
        
       

     

       23
       -
         vhostBase = pkgs: {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       24
        
           forceSSL = true;

     

       25
       -
           locations."/".root = documentRoot pkgs;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       26
        
         };

     

       27
        
       

     

       28
       -
       in import ./make-test-python.nix ({ lib, ... }: {

     

       29
        
         name = "acme";

     

       30
        
         meta.maintainers = lib.teams.acme.members;

     

       31
        
       

     

       32
        
         nodes = {

     

       33
        
           # The fake ACME server which will respond to client requests

     

       34
       -
           acme = { nodes, lib, ... }: {

     

       35
        
             imports = [ ./common/acme/server ];

     

       36
        
             networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];

     

       37
        
           };

     

       38
        
       

     

       39
        
           # A fake DNS server which can be configured with records as desired

     

       40
        
           # Used to test DNS-01 challenge

     

       41
       -
           dnsserver = { nodes, pkgs, ... }: {

     

       42
        
             networking.firewall.allowedTCPPorts = [ 8055 53 ];

     

       43
        
             networking.firewall.allowedUDPPorts = [ 53 ];

     

       44
        
             systemd.services.pebble-challtestsrv = {

     
···

       54
        
           };

     

       55
        
       

     

       56
        
           # A web server which will be the node requesting certs

     

       57
       -
           webserver = { pkgs, nodes, lib, config, ... }: {

     

       58
        
             imports = [ commonConfig ];

     

       59
        
             networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];

     

       60
        
             networking.firewall.allowedTCPPorts = [ 80 443 ];

     
···

       63
        
             environment.systemPackages = [ pkgs.openssl ];

     

       64
        
       

     

       65
        
             # Set log level to info so that we can see when the service is reloaded

     

       66
       -
             services.nginx.enable = true;

     

       67
        
             services.nginx.logError = "stderr info";

     

       68
        
       

     

       69
       -
             # First tests configure a basic cert and run a bunch of openssl checks

     

       70
       -
             services.nginx.virtualHosts."a.example.test" = (vhostBase pkgs) // {

     

       71
       -
               enableACME = true;

     

       72
       -
             };

     

       73
       -
       

     

       74
       -
             # Used to determine if service reload was triggered

     

       75
       -
             systemd.targets.test-renew-nginx = {

     

       76
       -
               wants = [ "acme-a.example.test.service" ];

     

       77
       -
               after = [ "acme-a.example.test.service" "nginx-config-reload.service" ];

     

       78
       -
             };

     

       79
       -
       

     

       80
       -
             # Test that account creation is collated into one service

     

       81
       -
             specialisation.account-creation.configuration = { nodes, pkgs, lib, ... }: let

     

       82
       -
               email = "newhostmaster@example.test";

     

       83
       -
               caDomain = nodes.acme.config.test-support.acme.caDomain;

     

       84
       -
               # Exit 99 to make it easier to track if this is the reason a renew failed

     

       85
       -
               testScript = ''

     

       86
       -
                 test -e accounts/${caDomain}/${email}/account.json || exit 99

     

       87
       -
               '';

     

       88
       -
             in {

     

       89
       -
               security.acme.email = lib.mkForce email;

     

       90
       -
               systemd.services."b.example.test".preStart = testScript;

     

       91
       -
               systemd.services."c.example.test".preStart = testScript;

     

       92
       -
       

     

       93
       -
               services.nginx.virtualHosts."b.example.test" = (vhostBase pkgs) // {

     

       94
       -
                 enableACME = true;

     

       95
       -
               };

     

       96
       -
               services.nginx.virtualHosts."c.example.test" = (vhostBase pkgs) // {

     

       97
       -
                 enableACME = true;

     

       98
       -
               };

     

       99
       -
             };

     

       100
       -
       

     

       101
       -
             # Cert config changes will not cause the nginx configuration to change.

     

       102
       -
             # This tests that the reload service is correctly triggered.

     

       103
       -
             # It also tests that postRun is exec'd as root

     

       104
       -
             specialisation.cert-change.configuration = { pkgs, ... }: {

     

       105
       -
               security.acme.certs."a.example.test".keyType = "ec384";

     

       106
       -
               security.acme.certs."a.example.test".postRun = ''

     

       107
       -
                 set -euo pipefail

     

       108
       -
                 touch /home/test

     

       109
       -
                 chown root:root /home/test

     

       110
       -
                 echo testing > /home/test

     

       111
       -
               '';

     

       112
       -
             };

     

       113
       -
       

     

       114
       -
             # Now adding an alias to ensure that the certs are updated

     

       115
       -
             specialisation.nginx-aliases.configuration = { pkgs, ... }: {

     

       116
       -
               services.nginx.virtualHosts."a.example.test" = (vhostBase pkgs) // {

     

       117
       -
                 serverAliases = [ "b.example.test" ];

     

       118
       -
               };

     

       119
       -
             };

     

       120
       -
       

     

       121
       -
             # Must be run after nginx-aliases

     

       122
       -
             specialisation.remove-extra-domain.configuration = { pkgs, ... } : {

     

       123
       -
               # This also validates that useACMEHost doesn't unexpectedly add the domain.

     

       124
       -
               services.nginx.virtualHosts."b.example.test" = (vhostBase pkgs) // {

     

       125
       -
                 useACMEHost = "a.example.test";

     

       126
       -
               };

     

       127
       -
             };

     

       128
       -
       

     

       129
       -
             # Test OCSP Stapling

     

       130
       -
             specialisation.ocsp-stapling.configuration = { pkgs, ... }: {

     

       131
       -
               security.acme.certs."a.example.test" = {

     

       132
       -
                 ocspMustStaple = true;

     

       133
       -
               };

     

       134
       -
               services.nginx.virtualHosts."a.example.com" = {

     

       135
       -
                 extraConfig = ''

     

       136
       -
                   ssl_stapling on;

     

       137
       -
                   ssl_stapling_verify on;

     

       138
        
                 '';

     

       139
       -
               };

     

       140
       -
             };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       141
        
       

     

       142
       -
             # Test using Apache HTTPD

     

       143
       -
             specialisation.httpd-aliases.configuration = { pkgs, config, lib, ... }: {

     

       144
       -
               services.nginx.enable = lib.mkForce false;

     

       145
       -
               services.httpd.enable = true;

     

       146
       -
               services.httpd.adminAddr = config.security.acme.email;

     

       147
       -
               services.httpd.virtualHosts."c.example.test" = {

     

       148
       -
                 serverAliases = [ "d.example.test" ];

     

       149
       -
                 forceSSL = true;

     

       150
       -
                 enableACME = true;

     

       151
       -
                 documentRoot = documentRoot pkgs;

     

       152
       -
               };

     

       153
        
       

     

       154
       -
               # Used to determine if service reload was triggered

     

       155
       -
               systemd.targets.test-renew-httpd = {

     

       156
       -
                 wants = [ "acme-c.example.test.service" ];

     

       157
       -
                 after = [ "acme-c.example.test.service" "httpd-config-reload.service" ];

     

       158
       -
               };

     

       159
       -
             };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       160
        
       

     

       161
       -
             # Validation via DNS-01 challenge

     

       162
       -
             specialisation.dns-01.configuration = { pkgs, config, nodes, ... }: {

     

       163
       -
               security.acme.certs."example.test" = {

     

       164
       -
                 domain = "*.example.test";

     

       165
       -
                 group = config.services.nginx.group;

     

       166
       -
                 dnsProvider = "exec";

     

       167
       -
                 dnsPropagationCheck = false;

     

       168
       -
                 credentialsFile = pkgs.writeText "wildcard.env" ''

     

       169
       -
                   EXEC_PATH=${dnsScript { inherit pkgs nodes; }}

     

       170
       -
                 '';

     

       171
       -
               };

     

       172
        
       

     

       173
       -
               services.nginx.virtualHosts."dns.example.test" = (vhostBase pkgs) // {

     

       174
       -
                 useACMEHost = "example.test";

     

       175
       -
               };

     

       176
       -
             };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       177
        
       

     

       178
       -
             # Validate service relationships by adding a slow start service to nginx' wants.

     

       179
       -
             # Reproducer for https://github.com/NixOS/nixpkgs/issues/81842

     

       180
       -
             specialisation.slow-startup.configuration = { pkgs, config, nodes, lib, ... }: {

     

       181
       -
               systemd.services.my-slow-service = {

     

       182
       -
                 wantedBy = [ "multi-user.target" "nginx.service" ];

     

       183
       -
                 before = [ "nginx.service" ];

     

       184
       -
                 preStart = "sleep 5";

     

       185
       -
                 script = "${pkgs.python3}/bin/python -m http.server";

     

       186
       -
               };

     

       187
        
       

     

       188
       -
               services.nginx.virtualHosts."slow.example.com" = {

     

       189
       -
                 forceSSL = true;

     

       190
       -
                 enableACME = true;

     

       191
       -
                 locations."/".proxyPass = "http://localhost:8000";

     

       192
       -
               };

     

       193
       -
             };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       194
        
           };

     

       195
        
       

     

       196
        
           # The client will be used to curl the webserver to validate configuration

     

       197
       -
           client = {nodes, lib, pkgs, ...}: {

     

       198
        
             imports = [ commonConfig ];

     

       199
        
             networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];

     

       200
        
       

     
···

       203
        
           };

     

       204
        
         };

     

       205
        
       

     

       206
       -
         testScript = {nodes, ...}:

     

       207
        
           let

     

       208
        
             caDomain = nodes.acme.config.test-support.acme.caDomain;

     

       209
        
             newServerSystem = nodes.webserver.config.system.build.toplevel;

     
···

       212
        
           # Note, wait_for_unit does not work for oneshot services that do not have RemainAfterExit=true,

     

       213
        
           # this is because a oneshot goes from inactive => activating => inactive, and never

     

       214
        
           # reaches the active state. Targets do not have this issue.

     

       215
       -
       

     

       216
        
           ''

     

       217
        
             import time

     

       218
        
       

     

       219
        
       

     

       220
       -
             has_switched = False

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       221
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       222
        
       

     

       223
       -
             def switch_to(node, name):

     

       224
       -
                 global has_switched

     

       225
       -
                 if has_switched:

     

       226
       -
                     node.succeed(

     

       227
       -
                         "${switchToNewServer}"

     

       228
       -
                     )

     

       229
       -
                 has_switched = True

     

       230
        
                 node.succeed(

     

       231
       -
                     f"/run/current-system/specialisation/{name}/bin/switch-to-configuration test"

     

       232
        
                 )

     

       233
        
       

     

       234
        
       

     
···

       318
        
                     return download_ca_certs(node, retries - 1)

     

       319
        
       

     

       320
        
       

     

       321
       -
             client.start()

     

       322
       -
             dnsserver.start()

     

       323
        
       

     

       324
        
             dnsserver.wait_for_unit("pebble-challtestsrv.service")

     

       325
        
             client.wait_for_unit("default.target")

     
···

       327
        
             client.succeed(

     

       328
        
                 'curl --data \'{"host": "${caDomain}", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'

     

       329
        
             )

     

       330
       -
       

     

       331
       -
             acme.start()

     

       332
       -
             webserver.start()

     

       333
        
       

     

       334
        
             acme.wait_for_unit("network-online.target")

     

       335
        
             acme.wait_for_unit("pebble.service")

     

       336
        
       

     

       337
        
             download_ca_certs(client)

     

       338
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       339
        
             with subtest("Can request certificate with HTTPS-01 challenge"):

     

       340
        
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       341
        
       

     

       342
        
             with subtest("Certificates and accounts have safe + valid permissions"):

     

       343
       -
                 group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}"

     

       0
        
       
     

       344
        
                 webserver.succeed(

     

       345
        
                     f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"

     

       346
        
                 )

     
···

       354
        
                     f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"

     

       355
        
                 )

     

       356
        
       

     

       357
       -
             with subtest("Certs are accepted by web server"):

     

       358
       -
                 webserver.succeed("systemctl start nginx.service")

     

       359
       -
                 check_fullchain(webserver, "a.example.test")

     

       360
       -
                 check_issuer(webserver, "a.example.test", "pebble")

     

       361
       -
                 check_connection(client, "a.example.test")

     

       362
       -
       

     

       363
        
             # Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal

     

       364
        
             with subtest("Can generate valid selfsigned certs"):

     

       365
        
                 webserver.succeed("systemctl clean acme-a.example.test.service --what=state")

     
···

       373
        
                 # Will succeed if nginx can load the certs

     

       374
        
                 webserver.succeed("systemctl start nginx-config-reload.service")

     

       375
        
       

     

       376
       -
             with subtest("Can reload nginx when timer triggers renewal"):

     

       377
       -
                 webserver.succeed("systemctl start test-renew-nginx.target")

     

       378
       -
                 check_issuer(webserver, "a.example.test", "pebble")

     

       379
       -
                 check_connection(client, "a.example.test")

     

       380
       -
       

     

       381
       -
             with subtest("Runs 1 cert for account creation before others"):

     

       382
       -
                 switch_to(webserver, "account-creation")

     

       383
       -
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       384
       -
                 check_connection(client, "a.example.test")

     

       385
       -
                 webserver.wait_for_unit("acme-finished-b.example.test.target")

     

       386
       -
                 webserver.wait_for_unit("acme-finished-c.example.test.target")

     

       387
       -
                 check_connection(client, "b.example.test")

     

       388
       -
                 check_connection(client, "c.example.test")

     

       389
       -
       

     

       390
       -
             with subtest("Can reload web server when cert configuration changes"):

     

       391
       -
                 switch_to(webserver, "cert-change")

     

       392
       -
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       393
       -
                 check_connection_key_bits(client, "a.example.test", "384")

     

       394
       -
                 webserver.succeed("grep testing /home/test")

     

       395
       -
                 # Clean to remove the testing file (and anything else messy we did)

     

       396
       -
                 webserver.succeed("systemctl clean acme-a.example.test.service --what=state")

     

       397
       -
       

     

       398
        
             with subtest("Correctly implements OCSP stapling"):

     

       399
        
                 switch_to(webserver, "ocsp-stapling")

     

       400
        
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       401
        
                 check_stapling(client, "a.example.test")

     

       402
        
       

     

       403
        
             with subtest("Can request certificate with HTTPS-01 when nginx startup is delayed"):

     

       0
        
       
     

       404
        
                 switch_to(webserver, "slow-startup")

     

       405
        
                 webserver.wait_for_unit("acme-finished-slow.example.com.target")

     

       406
        
                 check_issuer(webserver, "slow.example.com", "pebble")

     

       0
        
       
     

       407
        
                 check_connection(client, "slow.example.com")

     

       408
        
       

     

       409
       -
             with subtest("Can request certificate for vhost + aliases (nginx)"):

     

       410
       -
                 # Check the key hash before and after adding an alias. It should not change.

     

       411
       -
                 # The previous test reverts the ed384 change

     

       412
       -
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       413
       -
                 switch_to(webserver, "nginx-aliases")

     

       414
       -
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       415
       -
                 check_issuer(webserver, "a.example.test", "pebble")

     

       416
       -
                 check_connection(client, "a.example.test")

     

       417
       -
                 check_connection(client, "b.example.test")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       418
        
       

     

       419
       -
             with subtest("Can remove extra domains from a cert"):

     

       420
       -
                 switch_to(webserver, "remove-extra-domain")

     

       421
       -
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       422
       -
                 webserver.wait_for_unit("nginx.service")

     

       423
       -
                 check_connection(client, "a.example.test")

     

       424
       -
                 rc, _ = client.execute(

     

       425
       -
                     "openssl s_client -CAfile /tmp/ca.crt -connect b.example.test:443"

     

       426
       -
                     " </dev/null 2>/dev/null | openssl x509 -noout -text"

     

       427
       -
                     " | grep DNS: | grep b.example.test"

     

       428
       -
                 )

     

       429
       -
                 assert rc > 0, "Removed extraDomainName was not removed from the cert"

     

       430
        
       

     

       431
       -
             with subtest("Can request certificates for vhost + aliases (apache-httpd)"):

     

       432
       -
                 try:

     

       433
       -
                     switch_to(webserver, "httpd-aliases")

     

       434
       -
                     webserver.wait_for_unit("acme-finished-c.example.test.target")

     

       435
       -
                 except Exception as err:

     

       436
       -
                     _, output = webserver.execute(

     

       437
       -
                         "cat /var/log/httpd/*.log && ls -al /var/lib/acme/acme-challenge"

     

       438
       -
                     )

     

       439
       -
                     print(output)

     

       440
       -
                     raise err

     

       441
       -
                 check_issuer(webserver, "c.example.test", "pebble")

     

       442
       -
                 check_connection(client, "c.example.test")

     

       443
       -
                 check_connection(client, "d.example.test")

     

       444
        
       

     

       445
       -
             with subtest("Can reload httpd when timer triggers renewal"):

     

       446
       -
                 # Switch to selfsigned first

     

       447
       -
                 webserver.succeed("systemctl clean acme-c.example.test.service --what=state")

     

       448
       -
                 webserver.succeed("systemctl start acme-selfsigned-c.example.test.service")

     

       449
       -
                 check_issuer(webserver, "c.example.test", "minica")

     

       450
       -
                 webserver.succeed("systemctl start httpd-config-reload.service")

     

       451
       -
                 webserver.succeed("systemctl start test-renew-httpd.target")

     

       452
       -
                 check_issuer(webserver, "c.example.test", "pebble")

     

       453
       -
                 check_connection(client, "c.example.test")

     

       454
        
       

     

       455
       -
             with subtest("Can request wildcard certificates using DNS-01 challenge"):

     

       456
       -
                 switch_to(webserver, "dns-01")

     

       457
       -
                 webserver.wait_for_unit("acme-finished-example.test.target")

     

       458
       -
                 check_issuer(webserver, "example.test", "pebble")

     

       459
       -
                 check_connection(client, "dns.example.test")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       460
        
           '';

     

       461
        
       })

···

       1
       +
       import ./make-test-python.nix ({ pkgs, lib, ... }: let

     

       2
        
         commonConfig = ./common/acme/client;

     

       3
        
       

     

       4
        
         dnsServerIP = nodes: nodes.dnsserver.config.networking.primaryIPAddress;

     

       5
        
       

     

       6
       +
         dnsScript = nodes: let

     

       7
        
           dnsAddress = dnsServerIP nodes;

     

       8
        
         in pkgs.writeShellScript "dns-hook.sh" ''

     

       9
        
           set -euo pipefail

     
···

       15
        
           fi

     

       16
        
         '';

     

       17
        
       

     

       18
       +
         dnsConfig = nodes: {

     

       19
       +
           dnsProvider = "exec";

     

       20
       +
           dnsPropagationCheck = false;

     

       21
       +
           credentialsFile = pkgs.writeText "wildcard.env" ''

     

       22
       +
             EXEC_PATH=${dnsScript nodes}

     

       23
       +
             EXEC_POLLING_INTERVAL=1

     

       24
       +
             EXEC_PROPAGATION_TIMEOUT=1

     

       25
       +
             EXEC_SEQUENCE_INTERVAL=1

     

       26
       +
           '';

     

       27
       +
         };

     

       28
       +
       

     

       29
       +
         documentRoot = pkgs.runCommand "docroot" {} ''

     

       30
        
           mkdir -p "$out"

     

       31
        
           echo hello world > "$out/index.html"

     

       32
        
         '';

     

       33
        
       

     

       34
       +
         vhostBase = {

     

       35
       +
           forceSSL = true;

     

       36
       +
           locations."/".root = documentRoot;

     

       37
       +
         };

     

       38
       +
       

     

       39
       +
         vhostBaseHttpd = {

     

       40
        
           forceSSL = true;

     

       41
       +
           inherit documentRoot;

     

       42
       +
         };

     

       43
       +
       

     

       44
       +
         # Base specialisation config for testing general ACME features

     

       45
       +
         webserverBasicConfig = {

     

       46
       +
           services.nginx.enable = true;

     

       47
       +
           services.nginx.virtualHosts."a.example.test" = vhostBase // {

     

       48
       +
             enableACME = true;

     

       49
       +
           };

     

       50
       +
         };

     

       51
       +
       

     

       52
       +
         # Generate specialisations for testing a web server

     

       53
       +
         mkServerConfigs = { server, group, vhostBaseData, extraConfig ? {} }: let

     

       54
       +
           baseConfig = { nodes, config, specialConfig ? {} }: lib.mkMerge [

     

       55
       +
             {

     

       56
       +
               security.acme = {

     

       57
       +
                 defaults = (dnsConfig nodes) // {

     

       58
       +
                   inherit group;

     

       59
       +
                 };

     

       60
       +
                 # One manual wildcard cert

     

       61
       +
                 certs."example.test" = {

     

       62
       +
                   domain = "*.example.test";

     

       63
       +
                 };

     

       64
       +
               };

     

       65
       +
       

     

       66
       +
               services."${server}" = {

     

       67
       +
                 enable = true;

     

       68
       +
                 virtualHosts = {

     

       69
       +
                   # Run-of-the-mill vhost using HTTP-01 validation

     

       70
       +
                   "${server}-http.example.test" = vhostBaseData // {

     

       71
       +
                     serverAliases = [ "${server}-http-alias.example.test" ];

     

       72
       +
                     enableACME = true;

     

       73
       +
                   };

     

       74
       +
       

     

       75
       +
                   # Another which inherits the DNS-01 config

     

       76
       +
                   "${server}-dns.example.test" = vhostBaseData // {

     

       77
       +
                     serverAliases = [ "${server}-dns-alias.example.test" ];

     

       78
       +
                     enableACME = true;

     

       79
       +
                     # Set acmeRoot to null instead of using the default of "/var/lib/acme/acme-challenge"

     

       80
       +
                     # webroot + dnsProvider are mutually exclusive.

     

       81
       +
                     acmeRoot = null;

     

       82
       +
                   };

     

       83
       +
       

     

       84
       +
                   # One using the wildcard certificate

     

       85
       +
                   "${server}-wildcard.example.test" = vhostBaseData // {

     

       86
       +
                     serverAliases = [ "${server}-wildcard-alias.example.test" ];

     

       87
       +
                     useACMEHost = "example.test";

     

       88
       +
                   };

     

       89
       +
                 };

     

       90
       +
               };

     

       91
       +
       

     

       92
       +
               # Used to determine if service reload was triggered

     

       93
       +
               systemd.targets."test-renew-${server}" = {

     

       94
       +
                 wants = [ "acme-${server}-http.example.test.service" ];

     

       95
       +
                 after = [ "acme-${server}-http.example.test.service" "${server}-config-reload.service" ];

     

       96
       +
               };

     

       97
       +
             }

     

       98
       +
             specialConfig

     

       99
       +
             extraConfig

     

       100
       +
           ];

     

       101
       +
         in {

     

       102
       +
           "${server}".configuration = { nodes, config, ... }: baseConfig {

     

       103
       +
             inherit nodes config;

     

       104
       +
           };

     

       105
       +
       

     

       106
       +
           # Test that server reloads when an alias is removed (and subsequently test removal works in acme)

     

       107
       +
           "${server}-remove-alias".configuration = { nodes, config, ... }: baseConfig {

     

       108
       +
             inherit nodes config;

     

       109
       +
             specialConfig = {

     

       110
       +
               # Remove an alias, but create a standalone vhost in its place for testing.

     

       111
       +
               # This configuration results in certificate errors as useACMEHost does not imply

     

       112
       +
               # append extraDomains, and thus we can validate the SAN is removed.

     

       113
       +
               services."${server}" = {

     

       114
       +
                 virtualHosts."${server}-http.example.test".serverAliases = lib.mkForce [];

     

       115
       +
                 virtualHosts."${server}-http-alias.example.test" = vhostBaseData // {

     

       116
       +
                   useACMEHost = "${server}-http.example.test";

     

       117
       +
                 };

     

       118
       +
               };

     

       119
       +
             };

     

       120
       +
           };

     

       121
       +
       

     

       122
       +
           # Test that the server reloads when only the acme configuration is changed.

     

       123
       +
           "${server}-change-acme-conf".configuration = { nodes, config, ... }: baseConfig {

     

       124
       +
             inherit nodes config;

     

       125
       +
             specialConfig = {

     

       126
       +
               security.acme.certs."${server}-http.example.test" = {

     

       127
       +
                 keyType = "ec384";

     

       128
       +
                 # Also test that postRun is exec'd as root

     

       129
       +
                 postRun = "id | grep root";

     

       130
       +
               };

     

       131
       +
             };

     

       132
       +
           };

     

       133
        
         };

     

       134
        
       

     

       135
       +
       in {

     

       136
        
         name = "acme";

     

       137
        
         meta.maintainers = lib.teams.acme.members;

     

       138
        
       

     

       139
        
         nodes = {

     

       140
        
           # The fake ACME server which will respond to client requests

     

       141
       +
           acme = { nodes, ... }: {

     

       142
        
             imports = [ ./common/acme/server ];

     

       143
        
             networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];

     

       144
        
           };

     

       145
        
       

     

       146
        
           # A fake DNS server which can be configured with records as desired

     

       147
        
           # Used to test DNS-01 challenge

     

       148
       +
           dnsserver = { nodes, ... }: {

     

       149
        
             networking.firewall.allowedTCPPorts = [ 8055 53 ];

     

       150
        
             networking.firewall.allowedUDPPorts = [ 53 ];

     

       151
        
             systemd.services.pebble-challtestsrv = {

     
···

       161
        
           };

     

       162
        
       

     

       163
        
           # A web server which will be the node requesting certs

     

       164
       +
           webserver = { nodes, config, ... }: {

     

       165
        
             imports = [ commonConfig ];

     

       166
        
             networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];

     

       167
        
             networking.firewall.allowedTCPPorts = [ 80 443 ];

     
···

       170
        
             environment.systemPackages = [ pkgs.openssl ];

     

       171
        
       

     

       172
        
             # Set log level to info so that we can see when the service is reloaded

     

       0
        
       
     

       173
        
             services.nginx.logError = "stderr info";

     

       174
        
       

     

       175
       +
             specialisation = {

     

       176
       +
               # First derivation used to test general ACME features

     

       177
       +
               general.configuration = { ... }: let

     

       178
       +
                 caDomain = nodes.acme.config.test-support.acme.caDomain;

     

       179
       +
                 email = config.security.acme.defaults.email;

     

       180
       +
                 # Exit 99 to make it easier to track if this is the reason a renew failed

     

       181
       +
                 accountCreateTester = ''

     

       182
       +
                   test -e accounts/${caDomain}/${email}/account.json || exit 99

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       183
        
                 '';

     

       184
       +
               in lib.mkMerge [

     

       185
       +
                 webserverBasicConfig

     

       186
       +
                 {

     

       187
       +
                   # Used to test that account creation is collated into one service.

     

       188
       +
                   # These should not run until after acme-finished-a.example.test.target

     

       189
       +
                   systemd.services."b.example.test".preStart = accountCreateTester;

     

       190
       +
                   systemd.services."c.example.test".preStart = accountCreateTester;

     

       191
        
       

     

       192
       +
                   services.nginx.virtualHosts."b.example.test" = vhostBase // {

     

       193
       +
                     enableACME = true;

     

       194
       +
                   };

     

       195
       +
                   services.nginx.virtualHosts."c.example.test" = vhostBase // {

     

       196
       +
                     enableACME = true;

     

       197
       +
                   };

     

       198
       +
                 }

     

       199
       +
               ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       200
        
       

     

       201
       +
               # Test OCSP Stapling

     

       202
       +
               ocsp-stapling.configuration = { ... }: lib.mkMerge [

     

       203
       +
                 webserverBasicConfig

     

       204
       +
                 {

     

       205
       +
                   security.acme.certs."a.example.test".ocspMustStaple = true;

     

       206
       +
                   services.nginx.virtualHosts."a.example.com" = {

     

       207
       +
                     extraConfig = ''

     

       208
       +
                       ssl_stapling on;

     

       209
       +
                       ssl_stapling_verify on;

     

       210
       +
                     '';

     

       211
       +
                   };

     

       212
       +
                 }

     

       213
       +
               ];

     

       214
        
       

     

       215
       +
               # Validate service relationships by adding a slow start service to nginx' wants.

     

       216
       +
               # Reproducer for https://github.com/NixOS/nixpkgs/issues/81842

     

       217
       +
               slow-startup.configuration = { ... }: lib.mkMerge [

     

       218
       +
                 webserverBasicConfig

     

       219
       +
                 {

     

       220
       +
                   systemd.services.my-slow-service = {

     

       221
       +
                     wantedBy = [ "multi-user.target" "nginx.service" ];

     

       222
       +
                     before = [ "nginx.service" ];

     

       223
       +
                     preStart = "sleep 5";

     

       224
       +
                     script = "${pkgs.python3}/bin/python -m http.server";

     

       225
       +
                   };

     

       226
        
       

     

       227
       +
                   services.nginx.virtualHosts."slow.example.com" = {

     

       228
       +
                     forceSSL = true;

     

       229
       +
                     enableACME = true;

     

       230
       +
                     locations."/".proxyPass = "http://localhost:8000";

     

       231
       +
                   };

     

       232
       +
                 }

     

       233
       +
               ];

     

       234
        
       

     

       235
       +
             # Test compatibility with Nginx

     

       236
       +
             } // (mkServerConfigs {

     

       237
       +
                 server = "nginx";

     

       238
       +
                 group = "nginx";

     

       239
       +
                 vhostBaseData = vhostBase;

     

       240
       +
               })

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       241
        
       

     

       242
       +
             # Test compatibility with Apache HTTPD

     

       243
       +
               // (mkServerConfigs {

     

       244
       +
                 server = "httpd";

     

       245
       +
                 group = "wwwrun";

     

       246
       +
                 vhostBaseData = vhostBaseHttpd;

     

       247
       +
                 extraConfig = {

     

       248
       +
                   services.httpd.adminAddr = config.security.acme.defaults.email;

     

       249
       +
                 };

     

       250
       +
               });

     

       251
        
           };

     

       252
        
       

     

       253
        
           # The client will be used to curl the webserver to validate configuration

     

       254
       +
           client = { nodes, ... }: {

     

       255
        
             imports = [ commonConfig ];

     

       256
        
             networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];

     

       257
        
       

     
···

       260
        
           };

     

       261
        
         };

     

       262
        
       

     

       263
       +
         testScript = { nodes, ... }:

     

       264
        
           let

     

       265
        
             caDomain = nodes.acme.config.test-support.acme.caDomain;

     

       266
        
             newServerSystem = nodes.webserver.config.system.build.toplevel;

     
···

       269
        
           # Note, wait_for_unit does not work for oneshot services that do not have RemainAfterExit=true,

     

       270
        
           # this is because a oneshot goes from inactive => activating => inactive, and never

     

       271
        
           # reaches the active state. Targets do not have this issue.

     

       0
        
       
     

       272
        
           ''

     

       273
        
             import time

     

       274
        
       

     

       275
        
       

     

       276
       +
             def switch_to(node, name):

     

       277
       +
                 # On first switch, this will create a symlink to the current system so that we can

     

       278
       +
                 # quickly switch between derivations

     

       279
       +
                 root_specs = "/tmp/specialisation"

     

       280
       +
                 node.execute(

     

       281
       +
                   f"test -e {root_specs}"

     

       282
       +
                   f" || ln -s $(readlink /run/current-system)/specialisation {root_specs}"

     

       283
       +
                 )

     

       284
        
       

     

       285
       +
                 switcher_path = f"/run/current-system/specialisation/{name}/bin/switch-to-configuration"

     

       286
       +
                 rc, _ = node.execute(f"test -e '{switcher_path}'")

     

       287
       +
                 if rc > 0:

     

       288
       +
                     switcher_path = f"/tmp/specialisation/{name}/bin/switch-to-configuration"

     

       289
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       290
        
                 node.succeed(

     

       291
       +
                     f"{switcher_path} test"

     

       292
        
                 )

     

       293
        
       

     

       294
        
       

     
···

       378
        
                     return download_ca_certs(node, retries - 1)

     

       379
        
       

     

       380
        
       

     

       381
       +
             start_all()

     

       0
        
       
     

       382
        
       

     

       383
        
             dnsserver.wait_for_unit("pebble-challtestsrv.service")

     

       384
        
             client.wait_for_unit("default.target")

     
···

       386
        
             client.succeed(

     

       387
        
                 'curl --data \'{"host": "${caDomain}", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'

     

       388
        
             )

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       389
        
       

     

       390
        
             acme.wait_for_unit("network-online.target")

     

       391
        
             acme.wait_for_unit("pebble.service")

     

       392
        
       

     

       393
        
             download_ca_certs(client)

     

       394
        
       

     

       395
       +
             # Perform general tests first

     

       396
       +
             switch_to(webserver, "general")

     

       397
       +
       

     

       398
        
             with subtest("Can request certificate with HTTPS-01 challenge"):

     

       399
        
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       400
       +
                 check_fullchain(webserver, "a.example.test")

     

       401
       +
                 check_issuer(webserver, "a.example.test", "pebble")

     

       402
       +
                 webserver.wait_for_unit("nginx.service")

     

       403
       +
                 check_connection(client, "a.example.test")

     

       404
       +
       

     

       405
       +
             with subtest("Runs 1 cert for account creation before others"):

     

       406
       +
                 webserver.wait_for_unit("acme-finished-b.example.test.target")

     

       407
       +
                 webserver.wait_for_unit("acme-finished-c.example.test.target")

     

       408
       +
                 check_connection(client, "b.example.test")

     

       409
       +
                 check_connection(client, "c.example.test")

     

       410
        
       

     

       411
        
             with subtest("Certificates and accounts have safe + valid permissions"):

     

       412
       +
                 # Nginx will set the group appropriately when enableACME is used

     

       413
       +
                 group = "nginx"

     

       414
        
                 webserver.succeed(

     

       415
        
                     f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"

     

       416
        
                 )

     
···

       424
        
                     f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"

     

       425
        
                 )

     

       426
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       427
        
             # Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal

     

       428
        
             with subtest("Can generate valid selfsigned certs"):

     

       429
        
                 webserver.succeed("systemctl clean acme-a.example.test.service --what=state")

     
···

       437
        
                 # Will succeed if nginx can load the certs

     

       438
        
                 webserver.succeed("systemctl start nginx-config-reload.service")

     

       439
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       440
        
             with subtest("Correctly implements OCSP stapling"):

     

       441
        
                 switch_to(webserver, "ocsp-stapling")

     

       442
        
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       443
        
                 check_stapling(client, "a.example.test")

     

       444
        
       

     

       445
        
             with subtest("Can request certificate with HTTPS-01 when nginx startup is delayed"):

     

       446
       +
                 webserver.execute("systemctl stop nginx")

     

       447
        
                 switch_to(webserver, "slow-startup")

     

       448
        
                 webserver.wait_for_unit("acme-finished-slow.example.com.target")

     

       449
        
                 check_issuer(webserver, "slow.example.com", "pebble")

     

       450
       +
                 webserver.wait_for_unit("nginx.service")

     

       451
        
                 check_connection(client, "slow.example.com")

     

       452
        
       

     

       453
       +
             domains = ["http", "dns", "wildcard"]

     

       454
       +
             for server, logsrc in [

     

       455
       +
                 ("nginx", "journalctl -n 30 -u nginx.service"),

     

       456
       +
                 ("httpd", "tail -n 30 /var/log/httpd/*.log"),

     

       457
       +
             ]:

     

       458
       +
                 wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service")

     

       459
       +
                 with subtest(f"Works with {server}"):

     

       460
       +
                     try:

     

       461
       +
                         switch_to(webserver, server)

     

       462
       +
                         # Skip wildcard domain for this check ([:-1])

     

       463
       +
                         for domain in domains[:-1]:

     

       464
       +
                             webserver.wait_for_unit(

     

       465
       +
                                 f"acme-finished-{server}-{domain}.example.test.target"

     

       466
       +
                             )

     

       467
       +
                     except Exception as err:

     

       468
       +
                         _, output = webserver.execute(

     

       469
       +
                             f"{logsrc} && ls -al /var/lib/acme/acme-challenge"

     

       470
       +
                         )

     

       471
       +
                         print(output)

     

       472
       +
                         raise err

     

       473
        
       

     

       474
       +
                     wait_for_server()

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       475
        
       

     

       476
       +
                     for domain in domains[:-1]:

     

       477
       +
                         check_issuer(webserver, f"{server}-{domain}.example.test", "pebble")

     

       478
       +
                     for domain in domains:

     

       479
       +
                         check_connection(client, f"{server}-{domain}.example.test")

     

       480
       +
                         check_connection(client, f"{server}-{domain}-alias.example.test")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       481
        
       

     

       482
       +
                 test_domain = f"{server}-{domains[0]}.example.test"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       483
        
       

     

       484
       +
                 with subtest(f"Can reload {server} when timer triggers renewal"):

     

       485
       +
                     # Switch to selfsigned first

     

       486
       +
                     webserver.succeed(f"systemctl clean acme-{test_domain}.service --what=state")

     

       487
       +
                     webserver.succeed(f"systemctl start acme-selfsigned-{test_domain}.service")

     

       488
       +
                     check_issuer(webserver, test_domain, "minica")

     

       489
       +
                     webserver.succeed(f"systemctl start {server}-config-reload.service")

     

       490
       +
                     webserver.succeed(f"systemctl start test-renew-{server}.target")

     

       491
       +
                     check_issuer(webserver, test_domain, "pebble")

     

       492
       +
                     check_connection(client, test_domain)

     

       493
       +
       

     

       494
       +
                 with subtest("Can remove an alias from a domain + cert is updated"):

     

       495
       +
                     test_alias = f"{server}-{domains[0]}-alias.example.test"

     

       496
       +
                     switch_to(webserver, f"{server}-remove-alias")

     

       497
       +
                     webserver.wait_for_unit(f"acme-finished-{test_domain}.target")

     

       498
       +
                     wait_for_server()

     

       499
       +
                     check_connection(client, test_domain)

     

       500
       +
                     rc, _ = client.execute(

     

       501
       +
                         f"openssl s_client -CAfile /tmp/ca.crt -connect {test_alias}:443"

     

       502
       +
                         " </dev/null 2>/dev/null | openssl x509 -noout -text"

     

       503
       +
                         f" | grep DNS: | grep {test_alias}"

     

       504
       +
                     )

     

       505
       +
                     assert rc > 0, "Removed extraDomainName was not removed from the cert"

     

       506
       +
       

     

       507
       +
                 with subtest("security.acme changes reflect on web server"):

     

       508
       +
                     # Switch back to normal server config first, reset everything.

     

       509
       +
                     switch_to(webserver, server)

     

       510
       +
                     wait_for_server()

     

       511
       +
                     switch_to(webserver, f"{server}-change-acme-conf")

     

       512
       +
                     webserver.wait_for_unit(f"acme-finished-{test_domain}.target")

     

       513
       +
                     wait_for_server()

     

       514
       +
                     check_connection_key_bits(client, test_domain, "384")

     

       515
        
           '';

     

       516
        
       })

+4 -2

nixos/tests/common/acme/client/default.nix

···

       5
        
       

     

       6
        
       in {

     

       7
        
         security.acme = {

     

       8
       -
           server = "https://${caDomain}/dir";

     

       9
       -
           email = "hostmaster@example.test";

     

       10
        
           acceptTerms = true;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       11
        
         };

     

       12
        
       

     

       13
        
         security.pki.certificateFiles = [ caCert ];

···

       5
        
       

     

       6
        
       in {

     

       7
        
         security.acme = {

     

       0
        
       
     

       0
        
       
     

       8
        
           acceptTerms = true;

     

       9
       +
           defaults = {

     

       10
       +
             server = "https://${caDomain}/dir";

     

       11
       +
             email = "hostmaster@example.test";

     

       12
       +
           };

     

       13
        
         };

     

       14
        
       

     

       15
        
         security.pki.certificateFiles = [ caCert ];

nixos/tests/common/acme/server/default.nix

···

       120
        
               enable = true;

     

       121
        
               description = "Pebble ACME server";

     

       122
        
               wantedBy = [ "network.target" ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       123
        
       

     

       124
        
               serviceConfig = {

     

       125
        
                 RuntimeDirectory = "pebble";

···

       120
        
               enable = true;

     

       121
        
               description = "Pebble ACME server";

     

       122
        
               wantedBy = [ "network.target" ];

     

       123
       +
               environment = {

     

       124
       +
                 # We're not testing lego, we're just testing our configuration.

     

       125
       +
                 # No need to sleep.

     

       126
       +
                 PEBBLE_VA_NOSLEEP = "1";

     

       127
       +
               };

     

       128
        
       

     

       129
        
               serviceConfig = {

     

       130
        
                 RuntimeDirectory = "pebble";