commit dc940ecdb313e47aa48788b7faf115dc7f5f3887 · pyrox.dev/nixpkgs

+10 -6

nixos/modules/security/acme.nix

···

       46
        
           serviceConfig = commonServiceConfig // {

     

       47
        
             StateDirectory = "acme/.minica";

     

       48
        
             BindPaths = "/var/lib/acme/.minica:/tmp/ca";

     

       0
        
       
     

       49
        
           };

     

       50
        
       

     

       51
        
           # Working directory will be /tmp

     
···

       54
        
               --ca-key ca/key.pem \

     

       55
        
               --ca-cert ca/cert.pem \

     

       56
        
               --domains selfsigned.local

     

       57
       -
       

     

       58
       -
             chmod 600 ca/*

     

       59
        
           '';

     

       60
        
         };

     

       61
        
       

     
···

       196
        
       

     

       197
        
             serviceConfig = commonServiceConfig // {

     

       198
        
               Group = data.group;

     

       0
        
       
     

       199
        
       

     

       200
        
               StateDirectory = "acme/${cert}";

     

       201
        
       

     
···

       220
        
               cat cert.pem chain.pem > fullchain.pem

     

       221
        
               cat key.pem fullchain.pem > full.pem

     

       222
        
       

     

       223
       -
               chmod 640 *

     

       224
       -
       

     

       225
        
               # Group might change between runs, re-apply it

     

       226
        
               chown 'acme:${data.group}' *

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       227
        
             '';

     

       228
        
           };

     

       229
        
       

     
···

       340
        
               fi

     

       341
        
       

     

       342
        
               mv domainhash.txt certificates/

     

       343
       -
               chmod 640 certificates/*

     

       344
       -
               chmod -R u=rwX,g=,o= accounts/*

     

       345
        
       

     

       346
        
               # Group might change between runs, re-apply it

     

       347
        
               chown 'acme:${data.group}' certificates/*

     
···

       357
        
                 ln -sf fullchain.pem out/cert.pem

     

       358
        
                 cat out/key.pem out/fullchain.pem > out/full.pem

     

       359
        
               fi

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       360
        
             '';

     

       361
        
           };

     

       362
        
         };

···

       46
        
           serviceConfig = commonServiceConfig // {

     

       47
        
             StateDirectory = "acme/.minica";

     

       48
        
             BindPaths = "/var/lib/acme/.minica:/tmp/ca";

     

       49
       +
             UMask = 0077;

     

       50
        
           };

     

       51
        
       

     

       52
        
           # Working directory will be /tmp

     
···

       55
        
               --ca-key ca/key.pem \

     

       56
        
               --ca-cert ca/cert.pem \

     

       57
        
               --domains selfsigned.local

     

       0
        
       
     

       0
        
       
     

       58
        
           '';

     

       59
        
         };

     

       60
        
       

     
···

       195
        
       

     

       196
        
             serviceConfig = commonServiceConfig // {

     

       197
        
               Group = data.group;

     

       198
       +
               UMask = 0027;

     

       199
        
       

     

       200
        
               StateDirectory = "acme/${cert}";

     

       201
        
       

     
···

       220
        
               cat cert.pem chain.pem > fullchain.pem

     

       221
        
               cat key.pem fullchain.pem > full.pem

     

       222
        
       

     

       0
        
       
     

       0
        
       
     

       223
        
               # Group might change between runs, re-apply it

     

       224
        
               chown 'acme:${data.group}' *

     

       225
       +
       

     

       226
       +
               # Default permissions make the files unreadable by group + anon

     

       227
       +
               # Need to be readable by group

     

       228
       +
               chmod 640 *

     

       229
        
             '';

     

       230
        
           };

     

       231
        
       

     
···

       342
        
               fi

     

       343
        
       

     

       344
        
               mv domainhash.txt certificates/

     

       0
        
       
     

       0
        
       
     

       345
        
       

     

       346
        
               # Group might change between runs, re-apply it

     

       347
        
               chown 'acme:${data.group}' certificates/*

     
···

       357
        
                 ln -sf fullchain.pem out/cert.pem

     

       358
        
                 cat out/key.pem out/fullchain.pem > out/full.pem

     

       359
        
               fi

     

       360
       +
       

     

       361
       +
               # By default group will have no access to the cert files.

     

       362
       +
               # This chmod will fix that.

     

       363
       +
               chmod 640 out/*

     

       364
        
             '';

     

       365
        
           };

     

       366
        
         };

+17 -7

nixos/tests/acme.nix

···

       330
        
       

     

       331
        
             with subtest("Can request certificate with HTTPS-01 challenge"):

     

       332
        
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       333
       -
                 check_fullchain(webserver, "a.example.test")

     

       334
       -
                 check_issuer(webserver, "a.example.test", "pebble")

     

       335
       -
                 check_connection(client, "a.example.test")

     

       336
        
       

     

       337
        
             with subtest("Certificates and accounts have safe + valid permissions"):

     

       338
        
                 group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}"

     

       339
        
                 webserver.succeed(

     

       340
       -
                     f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"

     

       341
        
                 )

     

       342
        
                 webserver.succeed(

     

       343
       -
                     f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/.lego/a.example.test/**/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"

     

       344
        
                 )

     

       345
        
                 webserver.succeed(

     

       346
       -
                     f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1"

     

       347
        
                 )

     

       348
        
                 webserver.succeed(

     

       349
       -
                     f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c \"%a %U %G\" {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"

     

       350
        
                 )

     

       351
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       352
        
             with subtest("Can generate valid selfsigned certs"):

     

       353
        
                 webserver.succeed("systemctl clean acme-a.example.test.service --what=state")

     

       354
        
                 webserver.succeed("systemctl start acme-selfsigned-a.example.test.service")

     

       355
        
                 check_fullchain(webserver, "a.example.test")

     

       356
        
                 check_issuer(webserver, "a.example.test", "minica")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       357
        
                 # Will succeed if nginx can load the certs

     

       358
        
                 webserver.succeed("systemctl start nginx-config-reload.service")

     

       359
        
       

     
···

       376
        
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       377
        
                 check_connection_key_bits(client, "a.example.test", "384")

     

       378
        
                 webserver.succeed("grep testing /var/lib/acme/a.example.test/test")

     

       0
        
       
     

       0
        
       
     

       379
        
       

     

       380
        
             with subtest("Correctly implements OCSP stapling"):

     

       381
        
                 switch_to(webserver, "ocsp-stapling")

···

       330
        
       

     

       331
        
             with subtest("Can request certificate with HTTPS-01 challenge"):

     

       332
        
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       333
        
       

     

       334
        
             with subtest("Certificates and accounts have safe + valid permissions"):

     

       335
        
                 group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}"

     

       336
        
                 webserver.succeed(

     

       337
       +
                     f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"

     

       338
        
                 )

     

       339
        
                 webserver.succeed(

     

       340
       +
                     f"test $(stat -L -c '%a %U %G' /var/lib/acme/.lego/a.example.test/**/a.example.test* | tee /dev/stderr | grep '600 acme {group}' | wc -l) -eq 4"

     

       341
        
                 )

     

       342
        
                 webserver.succeed(

     

       343
       +
                     f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1"

     

       344
        
                 )

     

       345
        
                 webserver.succeed(

     

       346
       +
                     f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"

     

       347
        
                 )

     

       348
        
       

     

       349
       +
             with subtest("Certs are accepted by web server"):

     

       350
       +
                 webserver.succeed("systemctl start nginx.service")

     

       351
       +
                 check_fullchain(webserver, "a.example.test")

     

       352
       +
                 check_issuer(webserver, "a.example.test", "pebble")

     

       353
       +
                 check_connection(client, "a.example.test")

     

       354
       +
       

     

       355
       +
             # Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal

     

       356
        
             with subtest("Can generate valid selfsigned certs"):

     

       357
        
                 webserver.succeed("systemctl clean acme-a.example.test.service --what=state")

     

       358
        
                 webserver.succeed("systemctl start acme-selfsigned-a.example.test.service")

     

       359
        
                 check_fullchain(webserver, "a.example.test")

     

       360
        
                 check_issuer(webserver, "a.example.test", "minica")

     

       361
       +
                 # Check selfsigned permissions

     

       362
       +
                 webserver.succeed(

     

       363
       +
                     f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"

     

       364
       +
                 )

     

       365
        
                 # Will succeed if nginx can load the certs

     

       366
        
                 webserver.succeed("systemctl start nginx-config-reload.service")

     

       367
        
       

     
···

       384
        
                 webserver.wait_for_unit("acme-finished-a.example.test.target")

     

       385
        
                 check_connection_key_bits(client, "a.example.test", "384")

     

       386
        
                 webserver.succeed("grep testing /var/lib/acme/a.example.test/test")

     

       387
       +
                 # Clean to remove the testing file (and anything else messy we did)

     

       388
       +
                 webserver.succeed("systemctl clean acme-a.example.test.service --what=state")

     

       389
        
       

     

       390
        
             with subtest("Correctly implements OCSP stapling"):

     

       391
        
                 switch_to(webserver, "ocsp-stapling")