dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/acme: ensure web servers using certs can access them

Browse Source
This commit is contained in:
Winter 2022-01-08 15:05:34 -05:00
parent 85a078a25d
commit b52607f43b
8 changed files with 36 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/module-list.nix
View File

@ -226,7 +226,7 @@
./programs/zsh/zsh-autosuggestions.nix
./programs/zsh/zsh-syntax-highlighting.nix
./rename.nix
./security/acme.nix
./security/acme
./security/apparmor.nix
./security/audit.nix
./security/auditd.nix

2
nixos/modules/security/acme.nix → nixos/modules/security/acme/default.nix
View File

@ -916,6 +916,6 @@ in {
meta = {
maintainers = lib.teams.acme.members;
doc = ./acme.xml;
doc = ./doc.xml;
};
}

0
nixos/modules/security/acme.xml → nixos/modules/security/acme/doc.xml
View File

4
nixos/modules/security/acme/mk-cert-ownership-assertion.nix Normal file
View File

@ -0,0 +1,4 @@
{ cert, group, groups, user }: {
assertion = cert.group == group || builtins.any (u: u == user) groups.${cert.group}.members;
message = "Group for certificate ${cert.domain} must be ${group}, or user ${user} must be a member of group ${cert.group}";
}

8
nixos/modules/services/web-servers/apache-httpd/default.nix
View File

@ -370,6 +370,8 @@ let
cat ${php.phpIni} > $out
echo "$options" >> $out
'';
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;
in
@ -657,7 +659,11 @@ in
`services.httpd.virtualHosts.<name>.useACMEHost` are mutually exclusive.
'';
}
];
] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name};
groups = config.users.groups;
}) dependentCertNames;
warnings =
mapAttrsToList (name: hostOpts: ''

13
nixos/modules/services/web-servers/caddy/default.nix
View File

@ -38,6 +38,10 @@ let
'';
in
if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform then Caddyfile-formatted else Caddyfile;
acmeHosts = unique (catAttrs "useACMEHost" acmeVHosts);
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;
in
{
imports = [
@ -266,7 +270,11 @@ in
{ assertion = cfg.adapter != "caddyfile" -> cfg.configFile != configFile;
message = "Any value other than 'caddyfile' is only valid when providing your own `services.caddy.configFile`";
}
];
] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name};
groups = config.users.groups;
}) acmeHosts;
services.caddy.extraConfig = concatMapStringsSep "\n" mkVHostConf virtualHosts;
services.caddy.globalConfig = ''
@ -323,8 +331,7 @@ in
security.acme.certs =
let
eachACMEHost = unique (catAttrs "useACMEHost" acmeVHosts);
reloads = map (useACMEHost: nameValuePair useACMEHost { reloadServices = [ "caddy.service" ]; }) eachACMEHost;
reloads = map (useACMEHost: nameValuePair useACMEHost { reloadServices = [ "caddy.service" ]; }) acmeHosts;
in
listToAttrs reloads;

8
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -374,6 +374,8 @@ let
${user}:{PLAIN}${password}
'') authDef)
);
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;
in
{
@ -842,7 +844,11 @@ in
services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive.
'';
}
];
] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name};
groups = config.users.groups;
}) dependentCertNames;
systemd.services.nginx = {
description = "Nginx Web Server";

12
nixos/tests/acme.nix
View File

@ -54,15 +54,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: let
baseConfig = { nodes, config, specialConfig ? {} }: lib.mkMerge [
{
security.acme = {
defaults = (dnsConfig nodes) // {
inherit group;
};
defaults = (dnsConfig nodes);
# One manual wildcard cert
certs."example.test" = {
domain = "*.example.test";
};
};
users.users."${config.services."${server}".user}".extraGroups = ["acme"];
services."${server}" = {
enable = true;
virtualHosts = {
@ -252,15 +252,15 @@ in {
} // (let
baseCaddyConfig = { nodes, config, ... }: {
security.acme = {
defaults = (dnsConfig nodes) // {
group = config.services.caddy.group;
};
defaults = (dnsConfig nodes);
# One manual wildcard cert
certs."example.test" = {
domain = "*.example.test";
};
};
users.users."${config.services.caddy.user}".extraGroups = ["acme"];
services.caddy = {
enable = true;
virtualHosts."a.exmaple.test" = {