gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/acme: ensure web servers using certs can access them

Browse Source
This commit is contained in:
Winter
2022-01-08 15:05:34 -05:00
parent 85a078a25d
commit b52607f43b
8 changed files with 36 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/module-list.nix
View File

@@ -226,7 +226,7 @@
./programs/zsh/zsh-autosuggestions.nix ./programs/zsh/zsh-autosuggestions.nix
./programs/zsh/zsh-syntax-highlighting.nix ./programs/zsh/zsh-syntax-highlighting.nix
./rename.nix ./rename.nix
./security/acme.nix ./security/acme
./security/apparmor.nix ./security/apparmor.nix
./security/audit.nix ./security/audit.nix
./security/auditd.nix ./security/auditd.nix

2
nixos/modules/security/acme.nix → nixos/modules/security/acme/default.nix
View File

@@ -916,6 +916,6 @@ in {
meta = { meta = {
maintainers = lib.teams.acme.members; maintainers = lib.teams.acme.members;
doc = ./acme.xml; doc = ./doc.xml;
}; };
} }

0
nixos/modules/security/acme.xml → nixos/modules/security/acme/doc.xml
View File

4
nixos/modules/security/acme/mk-cert-ownership-assertion.nix Normal file
View File

@@ -0,0 +1,4 @@
{ cert, group, groups, user }: {
assertion = cert.group == group || builtins.any (u: u == user) groups.${cert.group}.members;
message = "Group for certificate ${cert.domain} must be ${group}, or user ${user} must be a member of group ${cert.group}";
}

8
nixos/modules/services/web-servers/apache-httpd/default.nix
View File

@@ -370,6 +370,8 @@ let
cat ${php.phpIni} > $out cat ${php.phpIni} > $out
echo "$options" >> $out echo "$options" >> $out
''; '';
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;
in in
@@ -657,7 +659,11 @@ in
`services.httpd.virtualHosts.<name>.useACMEHost` are mutually exclusive. `services.httpd.virtualHosts.<name>.useACMEHost` are mutually exclusive.
''; '';
} }
]; ] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name};
groups = config.users.groups;
}) dependentCertNames;
warnings = warnings =
mapAttrsToList (name: hostOpts: '' mapAttrsToList (name: hostOpts: ''

13
nixos/modules/services/web-servers/caddy/default.nix
View File

@@ -38,6 +38,10 @@ let
''; '';
in in
if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform then Caddyfile-formatted else Caddyfile; if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform then Caddyfile-formatted else Caddyfile;
acmeHosts = unique (catAttrs "useACMEHost" acmeVHosts);
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;
in in
{ {
imports = [ imports = [
@@ -266,7 +270,11 @@ in
{ assertion = cfg.adapter != "caddyfile" -> cfg.configFile != configFile; { assertion = cfg.adapter != "caddyfile" -> cfg.configFile != configFile;
message = "Any value other than 'caddyfile' is only valid when providing your own `services.caddy.configFile`"; message = "Any value other than 'caddyfile' is only valid when providing your own `services.caddy.configFile`";
} }
]; ] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name};
groups = config.users.groups;
}) acmeHosts;
services.caddy.extraConfig = concatMapStringsSep "\n" mkVHostConf virtualHosts; services.caddy.extraConfig = concatMapStringsSep "\n" mkVHostConf virtualHosts;
services.caddy.globalConfig = '' services.caddy.globalConfig = ''
@@ -323,8 +331,7 @@ in
security.acme.certs = security.acme.certs =
let let
eachACMEHost = unique (catAttrs "useACMEHost" acmeVHosts); reloads = map (useACMEHost: nameValuePair useACMEHost { reloadServices = [ "caddy.service" ]; }) acmeHosts;
reloads = map (useACMEHost: nameValuePair useACMEHost { reloadServices = [ "caddy.service" ]; }) eachACMEHost;
in in
listToAttrs reloads; listToAttrs reloads;

8
nixos/modules/services/web-servers/nginx/default.nix
View File

@@ -374,6 +374,8 @@ let
${user}:{PLAIN}${password} ${user}:{PLAIN}${password}
'') authDef) '') authDef)
); );
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;
in in
{ {
@@ -842,7 +844,11 @@ in
services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive. services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive.
''; '';
} }
]; ] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name};
groups = config.users.groups;
}) dependentCertNames;
systemd.services.nginx = { systemd.services.nginx = {
description = "Nginx Web Server"; description = "Nginx Web Server";

12
nixos/tests/acme.nix
View File

@@ -54,15 +54,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: let
baseConfig = { nodes, config, specialConfig ? {} }: lib.mkMerge [ baseConfig = { nodes, config, specialConfig ? {} }: lib.mkMerge [
{ {
security.acme = { security.acme = {
defaults = (dnsConfig nodes) // { defaults = (dnsConfig nodes);
inherit group;
};
# One manual wildcard cert # One manual wildcard cert
certs."example.test" = { certs."example.test" = {
domain = "*.example.test"; domain = "*.example.test";
}; };
}; };
users.users."${config.services."${server}".user}".extraGroups = ["acme"];
services."${server}" = { services."${server}" = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
@@ -252,15 +252,15 @@ in {
} // (let } // (let
baseCaddyConfig = { nodes, config, ... }: { baseCaddyConfig = { nodes, config, ... }: {
security.acme = { security.acme = {
defaults = (dnsConfig nodes) // { defaults = (dnsConfig nodes);
group = config.services.caddy.group;
};
# One manual wildcard cert # One manual wildcard cert
certs."example.test" = { certs."example.test" = {
domain = "*.example.test"; domain = "*.example.test";
}; };
}; };
users.users."${config.services.caddy.user}".extraGroups = ["acme"];
services.caddy = { services.caddy = {
enable = true; enable = true;
virtualHosts."a.exmaple.test" = { virtualHosts."a.exmaple.test" = {