diff options
author | Arian van Putten <aeroboy94@gmail.com> | 2019-08-29 16:32:59 +0200 |
---|---|---|
committer | Florian Klink <flokli@flokli.de> | 2019-08-29 16:32:59 +0200 |
commit | 604b7c139f4d44d9fb0e84d812efdfcf5dda3448 (patch) | |
tree | 4f0ec5e29e1d35bc654708788a833e56eef35840 /nixos/modules/security/acme.nix | |
parent | 097ae482d42815d6698b9799218a7ecc3e998c64 (diff) | |
download | nixlib-604b7c139f4d44d9fb0e84d812efdfcf5dda3448.tar nixlib-604b7c139f4d44d9fb0e84d812efdfcf5dda3448.tar.gz nixlib-604b7c139f4d44d9fb0e84d812efdfcf5dda3448.tar.bz2 nixlib-604b7c139f4d44d9fb0e84d812efdfcf5dda3448.tar.lz nixlib-604b7c139f4d44d9fb0e84d812efdfcf5dda3448.tar.xz nixlib-604b7c139f4d44d9fb0e84d812efdfcf5dda3448.tar.zst nixlib-604b7c139f4d44d9fb0e84d812efdfcf5dda3448.zip |
Fix letsencrypt (#60219)
* nixos/acme: Fix ordering of cert requests When subsequent certificates would be added, they would not wake up nginx correctly due to target units only being triggered once. We now added more fine-grained systemd dependencies to make sure nginx always is aware of new certificates and doesn't restart too early resulting in a crash. Furthermore, the acme module has been refactored. Mostly to get rid of the deprecated PermissionStartOnly systemd options which were deprecated. Below is a summary of changes made. * Use SERVICE_RESULT to determine status This was added in systemd v232. we don't have to keep track of the EXITCODE ourselves anymore. * Add regression test for requesting mutliple domains * Deprecate 'directory' option We now use systemd's StateDirectory option to manage create and permissions of the acme state directory. * The webroot is created using a systemd.tmpfiles.rules rule instead of the preStart script. * Depend on certs directly By getting rid of the target units, we make sure ordering is correct in the case that you add new certs after already having deployed some. Reason it broke before: acme-certificates.target would be in active state, and if you then add a new cert, it would still be active and hence nginx would restart without even requesting a new cert. Not good! We make the dependencies more fine-grained now. this should fix that * Remove activationDelay option It complicated the code a lot, and is rather arbitrary. What if your activation script takes more than activationDelay seconds? Instead, one should use systemd dependencies to make sure some action happens before setting the certificate live. e.g. If you want to wait until your cert is published in DNS DANE / TLSA, you could create a unit that blocks until it appears in DNS: ``` RequiredBy=acme-${cert}.service After=acme-${cert}.service ExecStart=publish-wait-for-dns-script ```
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 154 |
1 files changed, 36 insertions, 118 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 092704c6fc3f..feb54affbf83 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -80,25 +80,11 @@ let ''; }; - activationDelay = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Systemd time span expression to delay copying new certificates to main - state directory. See <citerefentry><refentrytitle>systemd.time</refentrytitle> - <manvolnum>7</manvolnum></citerefentry>. - ''; - }; - - preDelay = mkOption { - type = types.lines; - default = ""; - description = '' - Commands to run after certificates are re-issued but before they are - activated. Typically the new certificate is published to DNS. - - Executed in the same directory with the new certificate. - ''; + directory = mkOption { + type = types.str; + readOnly = true; + default = "/var/lib/acme/${name}"; + description = "Directory where certificate and other state is stored."; }; extraDomains = mkOption { @@ -126,13 +112,6 @@ in options = { security.acme = { - directory = mkOption { - default = "/var/lib/acme"; - type = types.str; - description = '' - Directory where certs and other state will be stored by default. - ''; - }; validMin = mkOption { type = types.int; @@ -181,7 +160,11 @@ in default = { }; type = with types; attrsOf (submodule certOpts); description = '' - Attribute set of certificates to get signed and renewed. + Attribute set of certificates to get signed and renewed. Creates + <literal>acme-''${cert}.{service,timer}</literal> systemd units for + each certificate defined here. Other services can add dependencies + to those units if they rely on the certificates being present, + or trigger restarts of the service if certificates get renewed. ''; example = literalExample '' { @@ -209,8 +192,7 @@ in servicesLists = mapAttrsToList certToServices cfg.certs; certToServices = cert: data: let - cpath = lpath + optionalString (data.activationDelay != null) ".staging"; - lpath = "${cfg.directory}/${cert}"; + lpath = "acme/${cert}"; rights = if data.allowKeysForGroup then "750" else "700"; cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ] ++ optionals (data.email != null) [ "--email" data.email ] @@ -224,79 +206,27 @@ in serviceConfig = { Type = "oneshot"; SuccessExitStatus = [ "0" "1" ]; - PermissionsStartOnly = true; User = data.user; Group = data.group; PrivateTmp = true; + StateDirectory = lpath; + StateDirectoryMode = rights; + WorkingDirectory = "/var/lib/${lpath}"; + ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}"; + ExecStopPost = + let + script = pkgs.writeScript "acme-post-stop" '' + #!${pkgs.runtimeShell} -e + ${data.postRun} + ''; + in + "+${script}"; }; - path = with pkgs; [ simp_le systemd ]; - preStart = '' - mkdir -p '${cfg.directory}' - chown 'root:root' '${cfg.directory}' - chmod 755 '${cfg.directory}' - if [ ! -d '${cpath}' ]; then - mkdir '${cpath}' - fi - chmod ${rights} '${cpath}' - chown -R '${data.user}:${data.group}' '${cpath}' - mkdir -p '${data.webroot}/.well-known/acme-challenge' - chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' - ''; - script = '' - cd '${cpath}' - set +e - simp_le ${escapeShellArgs cmdline} - EXITCODE=$? - set -e - echo "$EXITCODE" > /tmp/lastExitCode - exit "$EXITCODE" - ''; - postStop = '' - cd '${cpath}' - - if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then - ${if data.activationDelay != null then '' - - ${data.preDelay} - - if [ -d '${lpath}' ]; then - systemd-run --no-block --on-active='${data.activationDelay}' --unit acme-setlive-${cert}.service - else - systemctl --wait start acme-setlive-${cert}.service - fi - '' else data.postRun} - - # noop ensuring that the "if" block is non-empty even if - # activationDelay == null and postRun == "" - true - fi - ''; - - before = [ "acme-certificates.target" ]; - wantedBy = [ "acme-certificates.target" ]; - }; - delayService = { - description = "Set certificate for ${cert} live"; - path = with pkgs; [ rsync ]; - serviceConfig = { - Type = "oneshot"; - }; - script = '' - rsync -a --delete-after '${cpath}/' '${lpath}' - ''; - postStop = data.postRun; + }; selfsignedService = { description = "Create preliminary self-signed certificate for ${cert}"; path = [ pkgs.openssl ]; - preStart = '' - if [ ! -d '${cpath}' ] - then - mkdir -p '${cpath}' - chmod ${rights} '${cpath}' - chown '${data.user}:${data.group}' '${cpath}' - fi - ''; script = '' workdir="$(mktemp -d)" @@ -318,50 +248,41 @@ in -out $workdir/server.crt # Copy key to destination - cp $workdir/server.key ${cpath}/key.pem + cp $workdir/server.key /var/lib/${lpath}/key.pem # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates) - cat $workdir/{server.crt,ca.crt} > "${cpath}/fullchain.pem" + cat $workdir/{server.crt,ca.crt} > "/var/lib/${lpath}/fullchain.pem" # Create full.pem for e.g. lighttpd - cat $workdir/{server.key,server.crt,ca.crt} > "${cpath}/full.pem" + cat $workdir/{server.key,server.crt,ca.crt} > "/var/lib/${lpath}/full.pem" # Give key acme permissions - chown '${data.user}:${data.group}' "${cpath}/"{key,fullchain,full}.pem - chmod ${rights} "${cpath}/"{key,fullchain,full}.pem + chown '${data.user}:${data.group}' "/var/lib/${lpath}/"{key,fullchain,full}.pem + chmod ${rights} "/var/lib/${lpath}/"{key,fullchain,full}.pem ''; serviceConfig = { Type = "oneshot"; - PermissionsStartOnly = true; PrivateTmp = true; + StateDirectory = lpath; User = data.user; Group = data.group; }; unitConfig = { # Do not create self-signed key when key already exists - ConditionPathExists = "!${cpath}/key.pem"; + ConditionPathExists = "!/var/lib/${lpath}/key.pem"; }; - before = [ - "acme-selfsigned-certificates.target" - ]; - wantedBy = [ - "acme-selfsigned-certificates.target" - ]; }; in ( [ { name = "acme-${cert}"; value = acmeService; } ] ++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; } - ++ optional (data.activationDelay != null) { name = "acme-setlive-${cert}"; value = delayService; } ); servicesAttr = listToAttrs services; - injectServiceDep = { - after = [ "acme-selfsigned-certificates.target" ]; - wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; - }; in - servicesAttr // - (if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) // - (if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {}); + servicesAttr; + + systemd.tmpfiles.rules = + flip mapAttrsToList cfg.certs + (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}"); systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair ("acme-${cert}") @@ -377,9 +298,6 @@ in }; }) ); - - systemd.targets."acme-selfsigned-certificates" = mkIf cfg.preliminarySelfsigned {}; - systemd.targets."acme-certificates" = {}; }) ]; |