commit 4e6697dcb6baba9a96de5d60451bcd025833a1e8 · pyrox.dev/nixpkgs

+134 -46

nixos/modules/security/acme.nix

···

       114
       114
        
               '';

     

       115
       115
        
             };

     

       116
       116
        
       

     

       117
       117
       +
             preliminarySelfsigned = mkOption {

     

       118
       118
       +
               type = types.bool;

     

       119
       119
       +
               default = true;

     

       120
       120
       +
               description = ''

     

       121
       121
       +
                 Whether a preliminary self-signed certificate should be generated before

     

       122
       122
       +
                 doing ACME requests. This can be useful when certificates are required in

     

       123
       123
       +
                 a webserver, but ACME needs the webserver to make its requests.

     

       124
       124
       +
       

     

       125
       125
       +
                 With preliminary self-signed certificate the webserver can be started and

     

       126
       126
       +
                 can later reload the correct ACME certificates.

     

       127
       127
       +
               '';

     

       128
       128
       +
             };

     

       129
       129
       +
       

     

       117
       130
        
             certs = mkOption {

     

       118
       131
        
               default = { };

     

       119
       132
        
               type = types.loaOf types.optionSet;

     
···

       140
       153
        
         config = mkMerge [

     

       141
       154
        
           (mkIf (cfg.certs != { }) {

     

       142
       155
        
       

     

       143
       143
       -
             systemd.services = flip mapAttrs' cfg.certs (cert: data:

     

       144
       144
       -
               let

     

       145
       145
       -
                 cpath = "${cfg.directory}/${cert}";

     

       146
       146
       -
                 rights = if data.allowKeysForGroup then "750" else "700";

     

       147
       147
       -
                 cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]

     

       148
       148
       -
                           ++ optionals (data.email != null) [ "--email" data.email ]

     

       149
       149
       -
                           ++ concatMap (p: [ "-f" p ]) data.plugins

     

       150
       150
       -
                           ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);

     

       156
       156
       +
             systemd.services = let

     

       157
       157
       +
                 services = concatLists servicesLists;

     

       158
       158
       +
                 servicesLists = mapAttrsToList certToServices cfg.certs;

     

       159
       159
       +
                 certToServices = cert: data:

     

       160
       160
       +
                     let

     

       161
       161
       +
                       cpath = "${cfg.directory}/${cert}";

     

       162
       162
       +
                       rights = if data.allowKeysForGroup then "750" else "700";

     

       163
       163
       +
                       cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]

     

       164
       164
       +
                                 ++ optionals (data.email != null) [ "--email" data.email ]

     

       165
       165
       +
                                 ++ concatMap (p: [ "-f" p ]) data.plugins

     

       166
       166
       +
                                 ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);

     

       167
       167
       +
                       acmeService = {

     

       168
       168
       +
                         description = "Renew ACME Certificate for ${cert}";

     

       169
       169
       +
                         after = [ "network.target" ];

     

       170
       170
       +
                         serviceConfig = {

     

       171
       171
       +
                           Type = "oneshot";

     

       172
       172
       +
                           SuccessExitStatus = [ "0" "1" ];

     

       173
       173
       +
                           PermissionsStartOnly = true;

     

       174
       174
       +
                           User = data.user;

     

       175
       175
       +
                           Group = data.group;

     

       176
       176
       +
                           PrivateTmp = true;

     

       177
       177
       +
                         };

     

       178
       178
       +
                         path = [ pkgs.simp_le ];

     

       179
       179
       +
                         preStart = ''

     

       180
       180
       +
                           mkdir -p '${cfg.directory}'

     

       181
       181
       +
                           if [ ! -d '${cpath}' ]; then

     

       182
       182
       +
                             mkdir '${cpath}'

     

       183
       183
       +
                           fi

     

       184
       184
       +
                           chmod ${rights} '${cpath}'

     

       185
       185
       +
                           chown -R '${data.user}:${data.group}' '${cpath}'

     

       186
       186
       +
                         '';

     

       187
       187
       +
                         script = ''

     

       188
       188
       +
                           cd '${cpath}'

     

       189
       189
       +
                           set +e

     

       190
       190
       +
                           simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}

     

       191
       191
       +
                           EXITCODE=$?

     

       192
       192
       +
                           set -e

     

       193
       193
       +
                           echo "$EXITCODE" > /tmp/lastExitCode

     

       194
       194
       +
                           exit "$EXITCODE"

     

       195
       195
       +
                         '';

     

       196
       196
       +
                         postStop = ''

     

       197
       197
       +
                           if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then

     

       198
       198
       +
                             echo "Executing postRun hook..."

     

       199
       199
       +
                             ${data.postRun}

     

       200
       200
       +
                           fi

     

       201
       201
       +
                         '';

     

       151
       202
        
       

     

       152
       152
       -
               in nameValuePair

     

       153
       153
       -
               ("acme-${cert}")

     

       154
       154
       -
               ({

     

       155
       155
       -
                 description = "Renew ACME Certificate for ${cert}";

     

       156
       156
       -
                 after = [ "network.target" ];

     

       157
       157
       -
                 serviceConfig = {

     

       158
       158
       -
                   Type = "oneshot";

     

       159
       159
       -
                   SuccessExitStatus = [ "0" "1" ];

     

       160
       160
       -
                   PermissionsStartOnly = true;

     

       161
       161
       -
                   User = data.user;

     

       162
       162
       -
                   Group = data.group;

     

       163
       163
       -
                   PrivateTmp = true;

     

       203
       203
       +
                         before = [ "acme-certificates.target" ];

     

       204
       204
       +
                         wantedBy = [ "acme-certificates.target" ];

     

       205
       205
       +
                       };

     

       206
       206
       +
                       selfsignedService = {

     

       207
       207
       +
                         description = "Create preliminary self-signed certificate for ${cert}";

     

       208
       208
       +
                         preStart = ''

     

       209
       209
       +
                             if [ ! -d '${cpath}' ]

     

       210
       210
       +
                             then

     

       211
       211
       +
                               mkdir -p '${cpath}'

     

       212
       212
       +
                               chmod ${rights} '${cpath}'

     

       213
       213
       +
                               chown '${data.user}:${data.group}' '${cpath}'

     

       214
       214
       +
                             fi

     

       215
       215
       +
                         '';

     

       216
       216
       +
                         script = 

     

       217
       217
       +
                           ''

     

       218
       218
       +
                             # Create self-signed key

     

       219
       219
       +
                             workdir="/run/acme-selfsigned-${cert}"

     

       220
       220
       +
                             ${pkgs.openssl.bin}/bin/openssl genrsa -des3 -passout pass:x -out $workdir/server.pass.key 2048

     

       221
       221
       +
                             ${pkgs.openssl.bin}/bin/openssl rsa -passin pass:x -in $workdir/server.pass.key -out $workdir/server.key

     

       222
       222
       +
                             ${pkgs.openssl.bin}/bin/openssl req -new -key $workdir/server.key -out $workdir/server.csr \

     

       223
       223
       +
                               -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"

     

       224
       224
       +
                             ${pkgs.openssl.bin}/bin/openssl x509 -req -days 1 -in $workdir/server.csr -signkey $workdir/server.key -out $workdir/server.crt

     

       225
       225
       +
       

     

       226
       226
       +
                             # Move key to destination

     

       227
       227
       +
                             mv $workdir/server.key ${cpath}/key.pem

     

       228
       228
       +
                             mv $workdir/server.crt ${cpath}/fullchain.pem

     

       229
       229
       +
       

     

       230
       230
       +
                             # Clean up working directory

     

       231
       231
       +
                             rm $workdir/server.csr

     

       232
       232
       +
                             rm $workdir/server.pass.key

     

       233
       233
       +
       

     

       234
       234
       +
                             # Give key acme permissions

     

       235
       235
       +
                             chmod ${rights} '${cpath}/key.pem'

     

       236
       236
       +
                             chown '${data.user}:${data.group}' '${cpath}/key.pem'

     

       237
       237
       +
                             chmod ${rights} '${cpath}/fullchain.pem'

     

       238
       238
       +
                             chown '${data.user}:${data.group}' '${cpath}/fullchain.pem'

     

       239
       239
       +
                           '';

     

       240
       240
       +
                         serviceConfig = {

     

       241
       241
       +
                           Type = "oneshot";

     

       242
       242
       +
                           RuntimeDirectory = "acme-selfsigned-${cert}";

     

       243
       243
       +
                           PermissionsStartOnly = true;

     

       244
       244
       +
                           User = data.user;

     

       245
       245
       +
                           Group = data.group;

     

       246
       246
       +
                         };

     

       247
       247
       +
                         unitConfig = {

     

       248
       248
       +
                           # Do not create self-signed key when key already exists

     

       249
       249
       +
                           ConditionPathExists = "!${cpath}/key.pem";

     

       250
       250
       +
                         };

     

       251
       251
       +
                         before = [

     

       252
       252
       +
                           "acme-selfsigned-certificates.target"

     

       253
       253
       +
                         ];

     

       254
       254
       +
                         wantedBy = [

     

       255
       255
       +
                           "acme-selfsigned-certificates.target"

     

       256
       256
       +
                         ];

     

       257
       257
       +
                       };

     

       258
       258
       +
                     in (

     

       259
       259
       +
                       [ { name = "acme-${cert}"; value = acmeService; } ]

     

       260
       260
       +
                       ++

     

       261
       261
       +
                       (if cfg.preliminarySelfsigned

     

       262
       262
       +
                         then [ { name = "acme-selfsigned-${cert}"; value = selfsignedService; } ]

     

       263
       263
       +
                         else []

     

       264
       264
       +
                       )

     

       265
       265
       +
                     );

     

       266
       266
       +
                 servicesAttr = listToAttrs services;

     

       267
       267
       +
                 nginxAttr = {

     

       268
       268
       +
                   nginx = {

     

       269
       269
       +
                     after = [ "acme-selfsigned-certificates.target" ];

     

       270
       270
       +
                     wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];

     

       271
       271
       +
                   };

     

       164
       272
        
                 };

     

       165
       165
       -
                 path = [ pkgs.simp_le ];

     

       166
       166
       -
                 preStart = ''

     

       167
       167
       -
                   mkdir -p '${cfg.directory}'

     

       168
       168
       -
                   if [ ! -d '${cpath}' ]; then

     

       169
       169
       -
                     mkdir '${cpath}'

     

       170
       170
       -
                   fi

     

       171
       171
       -
                   chmod ${rights} '${cpath}'

     

       172
       172
       -
                   chown -R '${data.user}:${data.group}' '${cpath}'

     

       173
       173
       -
                 '';

     

       174
       174
       -
                 script = ''

     

       175
       175
       -
                   cd '${cpath}'

     

       176
       176
       -
                   set +e

     

       177
       177
       -
                   simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}

     

       178
       178
       -
                   EXITCODE=$?

     

       179
       179
       -
                   set -e

     

       180
       180
       -
                   echo "$EXITCODE" > /tmp/lastExitCode

     

       181
       181
       -
                   exit "$EXITCODE"

     

       182
       182
       -
                 '';

     

       183
       183
       -
                 postStop = ''

     

       184
       184
       -
                   if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then

     

       185
       185
       -
                     echo "Executing postRun hook..."

     

       186
       186
       -
                     ${data.postRun}

     

       187
       187
       -
                   fi

     

       188
       188
       -
                 '';

     

       189
       189
       -
               })

     

       190
       190
       -
             );

     

       273
       273
       +
               in

     

       274
       274
       +
                 servicesAttr //

     

       275
       275
       +
                 (if config.services.nginx.enable then nginxAttr else {});

     

       191
       276
        
       

     

       192
       277
        
             systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair

     

       193
       278
        
               ("acme-${cert}")

     
···

       200
       285
        
                 };

     

       201
       286
        
               })

     

       202
       287
        
             );

     

       288
       288
       +
       

     

       289
       289
       +
             systemd.targets."acme-selfsigned-certificates" = mkIf cfg.preliminarySelfsigned {};

     

       290
       290
       +
             systemd.targets."acme-certificates" = {};

     

       203
       291
        
           })

     

       204
       292
        
       

     

       205
       293
        
           { meta.maintainers = with lib.maintainers; [ abbradar fpletz globin ];

+28

nixos/modules/security/acme.xml

···

       66
       66
        
       

     

       67
       67
        
       </section>

     

       68
       68
        
       

     

       69
       69
       +
       <section><title>Using ACME certificates in Nginx</title>

     

       70
       70
       +
       <para>In practice ACME is mostly used for retrieval and renewal of

     

       71
       71
       +
         certificates that will be used in a webserver like Nginx. A configuration for

     

       72
       72
       +
         Nginx that uses the certificates from ACME for

     

       73
       73
       +
         <literal>foo.example.com</literal> will look similar to:

     

       74
       74
       +
       </para>

     

       75
       75
       +
       

     

       76
       76
       +
       <programlisting>

     

       77
       77
       +
       services.nginx.httpConfig = ''

     

       78
       78
       +
         server {

     

       79
       79
       +
           server_name foo.example.com;

     

       80
       80
       +
           listen 443 ssl;

     

       81
       81
       +
           ssl_certificate     ${config.security.acme.directory}/foo.example.com/fullchain.pem;

     

       82
       82
       +
           ssl_certificate_key ${config.security.acme.directory}/foo.example.com/key.pem;

     

       83
       83
       +
           root /var/www/foo.example.com/;

     

       84
       84
       +
         }

     

       85
       85
       +
       '';

     

       86
       86
       +
       </programlisting>

     

       87
       87
       +
       

     

       88
       88
       +
       <para>Now Nginx will try to use the certificates that will be retrieved by ACME.

     

       89
       89
       +
         ACME needs Nginx (or any other webserver) to function and Nginx needs

     

       90
       90
       +
         the certificates to actually start. For this reason the ACME module

     

       91
       91
       +
         automatically generates self-signed certificates that will be used by Nginx to

     

       92
       92
       +
         start. After that Nginx is used by ACME to retrieve the actual ACME

     

       93
       93
       +
         certificates. <literal>security.acme.preliminarySelfsigned</literal> can be

     

       94
       94
       +
         used to control whether to generate the self-signed certificates.

     

       95
       95
       +
       </para>

     

       96
       96
       +
       </section>

     

       69
       97
        
       </chapter>