diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security/acme.nix')
-rw-r--r-- | nixpkgs/nixos/modules/security/acme.nix | 154 |
1 files changed, 36 insertions, 118 deletions
diff --git a/nixpkgs/nixos/modules/security/acme.nix b/nixpkgs/nixos/modules/security/acme.nix index 092704c6fc3f..feb54affbf83 100644 --- a/nixpkgs/nixos/modules/security/acme.nix +++ b/nixpkgs/nixos/modules/security/acme.nix @@ -80,25 +80,11 @@ let ''; }; - activationDelay = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Systemd time span expression to delay copying new certificates to main - state directory. See <citerefentry><refentrytitle>systemd.time</refentrytitle> - <manvolnum>7</manvolnum></citerefentry>. - ''; - }; - - preDelay = mkOption { - type = types.lines; - default = ""; - description = '' - Commands to run after certificates are re-issued but before they are - activated. Typically the new certificate is published to DNS. - - Executed in the same directory with the new certificate. - ''; + directory = mkOption { + type = types.str; + readOnly = true; + default = "/var/lib/acme/${name}"; + description = "Directory where certificate and other state is stored."; }; extraDomains = mkOption { @@ -126,13 +112,6 @@ in options = { security.acme = { - directory = mkOption { - default = "/var/lib/acme"; - type = types.str; - description = '' - Directory where certs and other state will be stored by default. - ''; - }; validMin = mkOption { type = types.int; @@ -181,7 +160,11 @@ in default = { }; type = with types; attrsOf (submodule certOpts); description = '' - Attribute set of certificates to get signed and renewed. + Attribute set of certificates to get signed and renewed. Creates + <literal>acme-''${cert}.{service,timer}</literal> systemd units for + each certificate defined here. Other services can add dependencies + to those units if they rely on the certificates being present, + or trigger restarts of the service if certificates get renewed. ''; example = literalExample '' { @@ -209,8 +192,7 @@ in servicesLists = mapAttrsToList certToServices cfg.certs; certToServices = cert: data: let - cpath = lpath + optionalString (data.activationDelay != null) ".staging"; - lpath = "${cfg.directory}/${cert}"; + lpath = "acme/${cert}"; rights = if data.allowKeysForGroup then "750" else "700"; cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ] ++ optionals (data.email != null) [ "--email" data.email ] @@ -224,79 +206,27 @@ in serviceConfig = { Type = "oneshot"; SuccessExitStatus = [ "0" "1" ]; - PermissionsStartOnly = true; User = data.user; Group = data.group; PrivateTmp = true; + StateDirectory = lpath; + StateDirectoryMode = rights; + WorkingDirectory = "/var/lib/${lpath}"; + ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}"; + ExecStopPost = + let + script = pkgs.writeScript "acme-post-stop" '' + #!${pkgs.runtimeShell} -e + ${data.postRun} + ''; + in + "+${script}"; }; - path = with pkgs; [ simp_le systemd ]; - preStart = '' - mkdir -p '${cfg.directory}' - chown 'root:root' '${cfg.directory}' - chmod 755 '${cfg.directory}' - if [ ! -d '${cpath}' ]; then - mkdir '${cpath}' - fi - chmod ${rights} '${cpath}' - chown -R '${data.user}:${data.group}' '${cpath}' - mkdir -p '${data.webroot}/.well-known/acme-challenge' - chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' - ''; - script = '' - cd '${cpath}' - set +e - simp_le ${escapeShellArgs cmdline} - EXITCODE=$? - set -e - echo "$EXITCODE" > /tmp/lastExitCode - exit "$EXITCODE" - ''; - postStop = '' - cd '${cpath}' - - if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then - ${if data.activationDelay != null then '' - - ${data.preDelay} - - if [ -d '${lpath}' ]; then - systemd-run --no-block --on-active='${data.activationDelay}' --unit acme-setlive-${cert}.service - else - systemctl --wait start acme-setlive-${cert}.service - fi - '' else data.postRun} - - # noop ensuring that the "if" block is non-empty even if - # activationDelay == null and postRun == "" - true - fi - ''; - - before = [ "acme-certificates.target" ]; - wantedBy = [ "acme-certificates.target" ]; - }; - delayService = { - description = "Set certificate for ${cert} live"; - path = with pkgs; [ rsync ]; - serviceConfig = { - Type = "oneshot"; - }; - script = '' - rsync -a --delete-after '${cpath}/' '${lpath}' - ''; - postStop = data.postRun; + }; selfsignedService = { description = "Create preliminary self-signed certificate for ${cert}"; path = [ pkgs.openssl ]; - preStart = '' - if [ ! -d '${cpath}' ] - then - mkdir -p '${cpath}' - chmod ${rights} '${cpath}' - chown '${data.user}:${data.group}' '${cpath}' - fi - ''; script = '' workdir="$(mktemp -d)" @@ -318,50 +248,41 @@ in -out $workdir/server.crt # Copy key to destination - cp $workdir/server.key ${cpath}/key.pem + cp $workdir/server.key /var/lib/${lpath}/key.pem # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates) - cat $workdir/{server.crt,ca.crt} > "${cpath}/fullchain.pem" + cat $workdir/{server.crt,ca.crt} > "/var/lib/${lpath}/fullchain.pem" # Create full.pem for e.g. lighttpd - cat $workdir/{server.key,server.crt,ca.crt} > "${cpath}/full.pem" + cat $workdir/{server.key,server.crt,ca.crt} > "/var/lib/${lpath}/full.pem" # Give key acme permissions - chown '${data.user}:${data.group}' "${cpath}/"{key,fullchain,full}.pem - chmod ${rights} "${cpath}/"{key,fullchain,full}.pem + chown '${data.user}:${data.group}' "/var/lib/${lpath}/"{key,fullchain,full}.pem + chmod ${rights} "/var/lib/${lpath}/"{key,fullchain,full}.pem ''; serviceConfig = { Type = "oneshot"; - PermissionsStartOnly = true; PrivateTmp = true; + StateDirectory = lpath; User = data.user; Group = data.group; }; unitConfig = { # Do not create self-signed key when key already exists - ConditionPathExists = "!${cpath}/key.pem"; + ConditionPathExists = "!/var/lib/${lpath}/key.pem"; }; - before = [ - "acme-selfsigned-certificates.target" - ]; - wantedBy = [ - "acme-selfsigned-certificates.target" - ]; }; in ( [ { name = "acme-${cert}"; value = acmeService; } ] ++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; } - ++ optional (data.activationDelay != null) { name = "acme-setlive-${cert}"; value = delayService; } ); servicesAttr = listToAttrs services; - injectServiceDep = { - after = [ "acme-selfsigned-certificates.target" ]; - wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; - }; in - servicesAttr // - (if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) // - (if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {}); + servicesAttr; + + systemd.tmpfiles.rules = + flip mapAttrsToList cfg.certs + (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}"); systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair ("acme-${cert}") @@ -377,9 +298,6 @@ in }; }) ); - - systemd.targets."acme-selfsigned-certificates" = mkIf cfg.preliminarySelfsigned {}; - systemd.targets."acme-certificates" = {}; }) ]; |