public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/simp_le: improve configuration options

Browse Source
This commit is contained in:
Nikolay Amiantov 2015-12-08 21:09:19 +03:00 committed by Franz Pletz
parent adc693f982
commit 6906baae5c
1 changed files with 77 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
nixos/modules/services/security/simp_le.nix
View File

@ -9,9 +9,14 @@ let
certOpts = { ... }: { certOpts = { ... }: {
options = { options = {
webroot = mkOption { webroot = mkOption {
type = types.nullOr types.str; type = types.str;
default = null; description = ''
description = "Where the webroot of the HTTP vhost is located."; Where the webroot of the HTTP vhost is located.
<filename>.well-known/acme-challenge/</filename> directory
will be created automatically if it doesn't exist.
<literal>http://example.org/.well-known/acme-challenge/</literal> must also
be available (notice unencrypted HTTP).
'';
}; };
validMin = mkOption { validMin = mkOption {
@ -32,20 +37,53 @@ let
description = "Contact email address for the CA to be able to reach you."; description = "Contact email address for the CA to be able to reach you.";
}; };
user = mkOption {
type = types.str;
default = "root";
description = "User under which simp_le would run.";
};
group = mkOption {
type = types.str;
default = "root";
description = "Group under which simp_le would run.";
};
postRun = mkOption {
type = types.lines;
default = "";
example = "systemctl reload nginx.service";
description = ''
Commands to run after certificates are re-issued. Typically
the web server and other servers using certificates need to
be reloaded.
'';
};
plugins = mkOption { plugins = mkOption {
type = types.listOf (types.enum [ type = types.listOf (types.enum [
"cert.der" "cert.pem" "chain.der" "chain.pem" "external_pem.sh" "cert.der" "cert.pem" "chain.der" "chain.pem" "external_pem.sh"
"fullchain.der" "fullchain.pem" "key.der" "key.pem" "fullchain.der" "fullchain.pem" "key.der" "key.pem" "account_key.json"
]); ]);
default = [ "fullchain.pem" "key.pem" ]; default = [ "fullchain.pem" "key.pem" "account_key.json" ];
description = "Plugins to enable."; description = ''
Plugins to enable. With default settings simp_le will
store public certificate bundle in <filename>fullchain.pem</filename>
and private key in <filename>key.pem</filename> in its state directory.
'';
}; };
extraDomains = mkOption { extraDomains = mkOption {
default = [ ]; type = types.attrsOf (types.nullOr types.str);
type = types.listOf types.str; default = {};
description = "More domains to include in the certificate."; example = {
example = [ "example.com" "foo.example.com:/var/www/foo" ]; "example.org" = "/srv/http/nginx";
"mydomain.org" = null;
};
description = ''
Extra domain names for which certificates are to be issued, with their
own server roots if needed.
'';
}; };
}; };
}; };
@ -62,7 +100,7 @@ in
default = "/etc/ssl"; default = "/etc/ssl";
type = types.str; type = types.str;
description = '' description = ''
Directory where certs will be stored by default. Directory where certs and other state will be stored by default.
''; '';
}; };
@ -74,10 +112,10 @@ in
''; '';
options = [ certOpts ]; options = [ certOpts ];
example = { example = {
"foo.example.com" = { "example.com" = {
webroot = "/var/www/challenges/"; webroot = "/var/www/challenges/";
email = "foo@example.com"; email = "foo@example.com";
extraDomains = [ "www.example.com" "example.com" ]; extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
}; };
"bar.example.com" = { "bar.example.com" = {
webroot = "/var/www/challenges/"; webroot = "/var/www/challenges/";
@ -91,27 +129,42 @@ in
###### implementation ###### implementation
config = mkIf (cfg.certs != { }) { config = mkIf (cfg.certs != { }) {
systemd.services = flip mapAttrs' cfg.certs (cert: data: nameValuePair systemd.services = flip mapAttrs' cfg.certs (cert: data:
let
cpath = "${cfg.directory}/${cert}";
cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" data.validMin ]
++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
in nameValuePair
("simp_le-${cert}") ("simp_le-${cert}")
({ ({
description = "simp_le cert renewal for ${cert}"; description = "simp_le cert renewal for ${cert}";
after = [ "network.target" ]; after = [ "network.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
SuccessExitStatus = "0 1"; SuccessExitStatus = [ "0" "1" ];
}; };
path = [ pkgs.simp_le pkgs.sudo ];
preStart = '' preStart = ''
mkdir -p "${cfg.directory}/${cert}" mkdir -p '${cfg.directory}'
if [ ! -d '${cpath}' ]; then
mkdir -m 700 '${cpath}'
chown '${data.user}:${data.group}' '${cpath}'
fi
''; '';
script = '' script = ''
WEBROOT="${optionalString (data.webroot == null) data.webroot}" cd '${cpath}'
cd "${cfg.directory}/${cert}" set +e
${pkgs.simp_le}/bin/simp_le -v \ sudo -u '${data.user}' -- simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}
${concatMapStringsSep " " (p: "-f ${p}") data.plugins} \ EXITCODE=$?
-d ${cert} --default_root "$WEBROOT" \ set -e
${concatMapStringsSep " " (p: "-d ${p}") data.extraDomains} \ if [ "$EXITCODE" = "0" ]; then
${optionalString (data.email != null) "--email ${data.email}"} \ ${data.postRun}
--valid_min ${toString data.validMin} else
exit "$EXITCODE"
fi
''; '';
}) })
); );