JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ddf87fb1ba
nixpkgs/nixos/modules/security/acme.nix

465 lines
19 KiB
Nix
Raw Normal View History

simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
{ config, lib, pkgs, ... }:
with lib;
let
nixos/simp_le: Rename to security.acme
2015-12-11 16:42:17 +00:00
cfg = config.security.acme;
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
security.acme: default name value via module system (#34388)
2018-02-06 21:08:57 +00:00
certOpts = { name, ... }: {
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
options = {
webroot = mkOption {
nixos/acme: ignore tmpfiles rules for null webroots
2020-01-15 09:17:11 +00:00
type = types.nullOr types.str;
default = null;
security.acme: default name value via module system (#34388)
2018-02-06 21:08:57 +00:00
example = "/var/lib/acme/acme-challenges";
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
description = ''
Where the webroot of the HTTP vhost is located.
<filename>.well-known/acme-challenge/</filename> directory
nixos/acme: improve documentation * Use literalExample for better readability * Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
2017-06-08 07:46:40 +01:00
will be created below the webroot if it doesn't exist.
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
<literal>http://example.org/.well-known/acme-challenge/</literal> must also
be available (notice unencrypted HTTP).
'';
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
};
nixos/modules/security/acme.nix: add server option Add a new option permitting to point certbot to an ACME Directory Resource URI other than Let's Encrypt production/staging one. In the meantime, we are deprecating the now useless Let's Encrypt production flag.
2019-10-25 23:40:51 +01:00
server = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
ACME Directory Resource URI. Defaults to let's encrypt
production endpoint,
https://acme-v02.api.letsencrypt.org/directory, if unset.
'';
};
acme: Add "domain" option to separate domain from name Fixes #24731.
2017-04-11 17:28:05 +01:00
domain = mkOption {
security.acme: default name value via module system (#34388)
2018-02-06 21:08:57 +00:00
type = types.str;
default = name;
acme: Add "domain" option to separate domain from name Fixes #24731.
2017-04-11 17:28:05 +01:00
description = "Domain to fetch certificate for (defaults to the entry name)";
};
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
email = mkOption {
type = types.nullOr types.str;
nixos/acme: simplify email resolve logic
2020-02-03 21:37:22 +00:00
default = cfg.email;
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
description = "Contact email address for the CA to be able to reach you.";
};
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
user = mkOption {
type = types.str;
default = "root";
nixos/simp_le: Rename to security.acme
2015-12-11 16:42:17 +00:00
description = "User running the ACME client.";
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
};
group = mkOption {
type = types.str;
default = "root";
nixos/simp_le: Rename to security.acme
2015-12-11 16:42:17 +00:00
description = "Group running the ACME client.";
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
};
nixos/acme: add allowKeysForGroup
2016-01-06 01:59:14 +00:00
allowKeysForGroup = mkOption {
type = types.bool;
default = false;
nixos/acme: improve documentation * Use literalExample for better readability * Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
2017-06-08 07:46:40 +01:00
description = ''
Give read permissions to the specified group
nixos/acme: Fix xml (#34683)
2018-02-06 23:27:28 +00:00
(<option>security.acme.cert.&lt;name&gt;.group</option>) to read SSL private certificates.
nixos/acme: improve documentation * Use literalExample for better readability * Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
2017-06-08 07:46:40 +01:00
'';
nixos/acme: add allowKeysForGroup
2016-01-06 01:59:14 +00:00
};
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
postRun = mkOption {
type = types.lines;
default = "";
example = "systemctl reload nginx.service";
description = ''
nixos/acme: Allow for time window between cert issue and activation
2017-11-19 15:41:28 +00:00
Commands to run after new certificates go live. Typically
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
the web server and other servers using certificates need to
be reloaded.
nixos/acme: Allow for time window between cert issue and activation
2017-11-19 15:41:28 +00:00
Executed in the same directory with the new certificate.
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
'';
};
Fix letsencrypt (#60219) * nixos/acme: Fix ordering of cert requests When subsequent certificates would be added, they would not wake up nginx correctly due to target units only being triggered once. We now added more fine-grained systemd dependencies to make sure nginx always is aware of new certificates and doesn't restart too early resulting in a crash. Furthermore, the acme module has been refactored. Mostly to get rid of the deprecated PermissionStartOnly systemd options which were deprecated. Below is a summary of changes made. * Use SERVICE_RESULT to determine status This was added in systemd v232. we don't have to keep track of the EXITCODE ourselves anymore. * Add regression test for requesting mutliple domains * Deprecate 'directory' option We now use systemd's StateDirectory option to manage create and permissions of the acme state directory. * The webroot is created using a systemd.tmpfiles.rules rule instead of the preStart script. * Depend on certs directly By getting rid of the target units, we make sure ordering is correct in the case that you add new certs after already having deployed some. Reason it broke before: acme-certificates.target would be in active state, and if you then add a new cert, it would still be active and hence nginx would restart without even requesting a new cert. Not good! We make the dependencies more fine-grained now. this should fix that * Remove activationDelay option It complicated the code a lot, and is rather arbitrary. What if your activation script takes more than activationDelay seconds? Instead, one should use systemd dependencies to make sure some action happens before setting the certificate live. e.g. If you want to wait until your cert is published in DNS DANE / TLSA, you could create a unit that blocks until it appears in DNS: ``` RequiredBy=acme-${cert}.service After=acme-${cert}.service ExecStart=publish-wait-for-dns-script ```
2019-08-29 15:32:59 +01:00
directory = mkOption {
type = types.str;
readOnly = true;
default = "/var/lib/acme/${name}";
description = "Directory where certificate and other state is stored.";
nixos/acme: Allow for time window between cert issue and activation
2017-11-19 15:41:28 +00:00
};
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
extraDomains = mkOption {
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
type = types.attrsOf (types.nullOr types.str);
default = {};
nixos/acme: improve documentation * Use literalExample for better readability * Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
2017-06-08 07:46:40 +01:00
example = literalExample ''
{
"example.org" = "/srv/http/nginx";
"mydomain.org" = null;
}
'';
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
description = ''
security.acme: default name value via module system (#34388)
2018-02-06 21:08:57 +00:00
A list of extra domain names, which are included in the one certificate to be issued, with their
nixos/simp_le: improve configuration options
2015-12-08 18:09:19 +00:00
own server roots if needed.
'';
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
};
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
nixos/acme: fix some descriptions, default acceptTerms to false
2020-01-19 18:24:04 +00:00
keyType = mkOption {
type = types.str;
default = "ec384";
description = ''
Key type to use for private keys.
For an up to date list of supported values check the --key-type option
at https://go-acme.github.io/lego/usage/cli/#usage.
'';
};
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
dnsProvider = mkOption {
type = types.nullOr types.str;
default = null;
nixos/acme: ignore tmpfiles rules for null webroots
2020-01-15 09:17:11 +00:00
example = "route53";
nixos/acme: fix some descriptions, default acceptTerms to false
2020-01-19 18:24:04 +00:00
description = ''
DNS Challenge provider. For a list of supported providers, see the "code"
field of the DNS providers listed at https://go-acme.github.io/lego/dns/.
'';
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
};
credentialsFile = mkOption {
nixos/acme: fix some descriptions, default acceptTerms to false
2020-01-19 18:24:04 +00:00
type = types.path;
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
description = ''
nixos/acme: fix some descriptions, default acceptTerms to false
2020-01-19 18:24:04 +00:00
Path to an EnvironmentFile for the cert's service containing any required and
optional environment variables for your selected dnsProvider.
To find out what values you need to set, consult the documentation at
https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
'';
example = "/var/src/secrets/example.org-route53-api-token";
};
dnsPropagationCheck = mkOption {
type = types.bool;
default = true;
description = ''
nixos/acme: fix some descriptions, default acceptTerms to false
2020-01-19 18:24:04 +00:00
Toggles lego DNS propagation check, which is used alongside DNS-01
challenge to ensure the DNS entries required are available.
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
'';
};
nixos/acme: add ocspMustStaple option
2020-02-23 01:51:19 +00:00
ocspMustStaple = mkOption {
type = types.bool;
default = false;
description = ''
Turns on the OCSP Must-Staple TLS extension.
Make sure you know what you're doing! See:
<itemizedlist>
<listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem>
<listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem>
</itemizedlist>
'';
};
nixos/acme: add extraLegoRenewFlags option
2020-02-23 02:02:44 +00:00
extraLegoRenewFlags = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Additional flags to pass to lego renew.
'';
};
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
};
};
in
{
###### interface
nixos/modules/security/acme.nix: add server option Add a new option permitting to point certbot to an ACME Directory Resource URI other than Let's Encrypt production/staging one. In the meantime, we are deprecating the now useless Let's Encrypt production flag.
2019-10-25 23:40:51 +01:00
imports = [
(mkRemovedOptionModule [ "security" "acme" "production" ] ''
Use security.acme.server to define your staging ACME server URL instead.
To use the let's encrypt staging server, use security.acme.server =
"https://acme-staging-v02.api.letsencrypt.org/directory".
''
)
nixos/treewide: Move rename.nix imports to their respective modules A centralized list for these renames is not good because: - It breaks disabledModules for modules that have a rename defined - Adding/removing renames for a module means having to find them in the central file - Merge conflicts due to multiple people editing the central file
2019-12-10 01:51:19 +00:00
(mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
(mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
(mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
(mkChangedOptionModule [ "security" "acme" "validMin"] [ "security" "acme" "validMinDays"] (config: config.security.acme.validMin / (24 * 3600)))
nixos/modules/security/acme.nix: add server option Add a new option permitting to point certbot to an ACME Directory Resource URI other than Let's Encrypt production/staging one. In the meantime, we are deprecating the now useless Let's Encrypt production flag.
2019-10-25 23:40:51 +01:00
];
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
options = {
nixos/simp_le: Rename to security.acme
2015-12-11 16:42:17 +00:00
security.acme = {
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
validMinDays = mkOption {
nixos/acme: validMin & renewInterval aren't cert-specific
2015-12-12 13:21:44 +00:00
type = types.int;
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
default = 30;
description = "Minimum remaining validity before renewal in days.";
};
email = mkOption {
type = types.nullOr types.str;
default = null;
description = "Contact email address for the CA to be able to reach you.";
nixos/acme: validMin & renewInterval aren't cert-specific
2015-12-12 13:21:44 +00:00
};
renewInterval = mkOption {
type = types.str;
nixos/acme: adjust renewal timer options The current weekly setting causes every NixOS server to try to renew its certificate at midnight on the dot on Monday. This contributes to the general problem of periodic load spikes for Let's Encrypt; NixOS is probably not a major contributor to that problem, but we can lead by example by picking good defaults here. The values here were chosen after consulting with @yuriks, an SRE at Let's Encrypt: * Randomize the time certificates are renewed within a 24 hour period. * Check for renewal every 24 hours, to ensure the certificate is always renewed before an expiry notice is sent out. * Increase the AccuracySec (thus lowering the accuracy(!)), so that systemd can coalesce the renewal with other timers being run. (You might be worried that this would defeat the purpose of the time skewing, but systemd is documented as avoiding this by picking a random time.)
2020-02-23 01:46:46 +00:00
default = "daily";
nixos/acme: validMin & renewInterval aren't cert-specific
2015-12-12 13:21:44 +00:00
description = ''
Systemd calendar expression when to check for renewal. See
<citerefentry><refentrytitle>systemd.time</refentrytitle>
nixos/treewide: systemd.time is in manvolume 7 cc #23396
2017-03-21 07:27:56 +00:00
<manvolnum>7</manvolnum></citerefentry>.
nixos/acme: validMin & renewInterval aren't cert-specific
2015-12-12 13:21:44 +00:00
'';
};
nixos/modules/security/acme.nix: add server option Add a new option permitting to point certbot to an ACME Directory Resource URI other than Let's Encrypt production/staging one. In the meantime, we are deprecating the now useless Let's Encrypt production flag.
2019-10-25 23:40:51 +01:00
server = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
ACME Directory Resource URI. Defaults to let's encrypt
production endpoint,
<literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset.
'';
};
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
preliminarySelfsigned = mkOption {
type = types.bool;
default = true;
description = ''
Whether a preliminary self-signed certificate should be generated before
doing ACME requests. This can be useful when certificates are required in
a webserver, but ACME needs the webserver to make its requests.
With preliminary self-signed certificate the webserver can be started and
can later reload the correct ACME certificates.
'';
};
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
acceptTerms = mkOption {
type = types.bool;
nixos/acme: fix some descriptions, default acceptTerms to false
2020-01-19 18:24:04 +00:00
default = false;
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
description = ''
nixos/acme: fix some descriptions, default acceptTerms to false
2020-01-19 18:24:04 +00:00
Accept the CA's terms of service. The default provier is Let's Encrypt,
you can find their ToS at https://letsencrypt.org/repository/
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
'';
};
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
certs = mkOption {
default = { };
acme module: certs option loaOf -> attrsOf
2016-11-16 07:28:27 +00:00
type = with types; attrsOf (submodule certOpts);
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
description = ''
Fix letsencrypt (#60219) * nixos/acme: Fix ordering of cert requests When subsequent certificates would be added, they would not wake up nginx correctly due to target units only being triggered once. We now added more fine-grained systemd dependencies to make sure nginx always is aware of new certificates and doesn't restart too early resulting in a crash. Furthermore, the acme module has been refactored. Mostly to get rid of the deprecated PermissionStartOnly systemd options which were deprecated. Below is a summary of changes made. * Use SERVICE_RESULT to determine status This was added in systemd v232. we don't have to keep track of the EXITCODE ourselves anymore. * Add regression test for requesting mutliple domains * Deprecate 'directory' option We now use systemd's StateDirectory option to manage create and permissions of the acme state directory. * The webroot is created using a systemd.tmpfiles.rules rule instead of the preStart script. * Depend on certs directly By getting rid of the target units, we make sure ordering is correct in the case that you add new certs after already having deployed some. Reason it broke before: acme-certificates.target would be in active state, and if you then add a new cert, it would still be active and hence nginx would restart without even requesting a new cert. Not good! We make the dependencies more fine-grained now. this should fix that * Remove activationDelay option It complicated the code a lot, and is rather arbitrary. What if your activation script takes more than activationDelay seconds? Instead, one should use systemd dependencies to make sure some action happens before setting the certificate live. e.g. If you want to wait until your cert is published in DNS DANE / TLSA, you could create a unit that blocks until it appears in DNS: ``` RequiredBy=acme-${cert}.service After=acme-${cert}.service ExecStart=publish-wait-for-dns-script ```
2019-08-29 15:32:59 +01:00
Attribute set of certificates to get signed and renewed. Creates
<literal>acme-''${cert}.{service,timer}</literal> systemd units for
each certificate defined here. Other services can add dependencies
to those units if they rely on the certificates being present,
or trigger restarts of the service if certificates get renewed.
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
'';
nixos/acme: improve documentation * Use literalExample for better readability * Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
2017-06-08 07:46:40 +01:00
example = literalExample ''
{
"example.com" = {
webroot = "/var/www/challenges/";
email = "foo@example.com";
extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
};
"bar.example.com" = {
webroot = "/var/www/challenges/";
email = "bar@example.com";
};
}
'';
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
};
};
};
###### implementation
nixos/acme: Add module documentation
2015-12-12 15:06:24 +00:00
config = mkMerge [
(mkIf (cfg.certs != { }) {
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
assertions = let
certs = (mapAttrsToList (k: v: v) cfg.certs);
in [
{
assertion = all (certOpts: certOpts.dnsProvider == null || certOpts.webroot == null) certs;
message = ''
Options `security.acme.certs.<name>.dnsProvider` and
`security.acme.certs.<name>.webroot` are mutually exclusive.
'';
}
{
assertion = cfg.email != null || all (certOpts: certOpts.email != null) certs;
message = ''
You must define `security.acme.certs.<name>.email` or
`security.acme.email` to register with the CA.
'';
}
nixos/acme: fix some descriptions, default acceptTerms to false
2020-01-19 18:24:04 +00:00
{
assertion = cfg.acceptTerms;
message = ''
You must accept the CA's terms of service before using
the ACME module by setting `security.acme.acceptTerms`
to `true`. For Let's Encrypt's ToS see https://letsencrypt.org/repository/
'';
}
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
];
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
systemd.services = let
services = concatLists servicesLists;
servicesLists = mapAttrsToList certToServices cfg.certs;
certToServices = cert: data:
let
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
# StateDirectory must be relative, and will be created under /var/lib by systemd
Fix letsencrypt (#60219) * nixos/acme: Fix ordering of cert requests When subsequent certificates would be added, they would not wake up nginx correctly due to target units only being triggered once. We now added more fine-grained systemd dependencies to make sure nginx always is aware of new certificates and doesn't restart too early resulting in a crash. Furthermore, the acme module has been refactored. Mostly to get rid of the deprecated PermissionStartOnly systemd options which were deprecated. Below is a summary of changes made. * Use SERVICE_RESULT to determine status This was added in systemd v232. we don't have to keep track of the EXITCODE ourselves anymore. * Add regression test for requesting mutliple domains * Deprecate 'directory' option We now use systemd's StateDirectory option to manage create and permissions of the acme state directory. * The webroot is created using a systemd.tmpfiles.rules rule instead of the preStart script. * Depend on certs directly By getting rid of the target units, we make sure ordering is correct in the case that you add new certs after already having deployed some. Reason it broke before: acme-certificates.target would be in active state, and if you then add a new cert, it would still be active and hence nginx would restart without even requesting a new cert. Not good! We make the dependencies more fine-grained now. this should fix that * Remove activationDelay option It complicated the code a lot, and is rather arbitrary. What if your activation script takes more than activationDelay seconds? Instead, one should use systemd dependencies to make sure some action happens before setting the certificate live. e.g. If you want to wait until your cert is published in DNS DANE / TLSA, you could create a unit that blocks until it appears in DNS: ``` RequiredBy=acme-${cert}.service After=acme-${cert}.service ExecStart=publish-wait-for-dns-script ```
2019-08-29 15:32:59 +01:00
lpath = "acme/${cert}";
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
apath = "/var/lib/${lpath}";
spath = "/var/lib/acme/.lego";
nixos/acme: apply chmod and ownership unconditionally Also separate directory and file permissions so the certificate files don't end up with the executable bit. Fixes #81335
2020-02-29 13:17:25 +00:00
fileMode = if data.allowKeysForGroup then "640" else "600";
nixos/acme: simplify email resolve logic
2020-02-03 21:37:22 +00:00
globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
nixos/acme: ignore tmpfiles rules for null webroots
2020-01-15 09:17:11 +00:00
++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ])
nixos/modules/security/acme.nix: add server option Add a new option permitting to point certbot to an ACME Directory Resource URI other than Let's Encrypt production/staging one. In the meantime, we are deprecating the now useless Let's Encrypt production flag.
2019-10-25 23:40:51 +01:00
++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
nixos/acme: add ocspMustStaple option
2020-02-23 01:51:19 +00:00
certOpts = optionals data.ocspMustStaple [ "--must-staple" ];
runOpts = escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts);
renewOpts = escapeShellArgs (globalOpts ++
[ "renew" "--days" (toString cfg.validMinDays) ] ++
nixos/acme: add extraLegoRenewFlags option
2020-02-23 02:02:44 +00:00
certOpts ++ data.extraLegoRenewFlags);
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
acmeService = {
description = "Renew ACME Certificate for ${cert}";
security.acme: the client really needs networking Actually this can be improved since the client only needs network connectivity if it needs to renew the certificate.
2016-09-06 16:39:46 +01:00
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
nixos/acme: renew after rebuild and on boot Fixes #81069
2020-02-29 13:39:55 +00:00
wantedBy = [ "multi-user.target" ];
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
serviceConfig = {
Type = "oneshot";
nixos/acme: Fix allowKeysForGroup not applying immediately Previously setting `allowKeysForGroup = true; group = "foo"` would not apply the group permission change of the certificates until the service gets restarted. This commit fixes this by making systemd restart the service every time it changes. Note that applying this commit to a system with an already running acme systemd service doesn't fix this immediately and you still need to wait for the next refresh (or call `systemctl restart acme-<domain>`). Once everybody's service has restarted once this should be a problem of the past.
2019-10-26 23:36:21 +01:00
# With RemainAfterExit the service is considered active even
# after the main process having exited, which means when it
# gets changed, the activation phase restarts it, meaning
# the permissions of the StateDirectory get adjusted
# according to the specified group
RemainAfterExit = true;
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
User = data.user;
Group = data.group;
PrivateTmp = true;
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
StateDirectory = "acme/.lego ${lpath}";
nixos/acme: apply chmod and ownership unconditionally Also separate directory and file permissions so the certificate files don't end up with the executable bit. Fixes #81335
2020-02-29 13:17:25 +00:00
StateDirectoryMode = if data.allowKeysForGroup then "750" else "700";
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
WorkingDirectory = spath;
# Only try loading the credentialsFile if the dns challenge is enabled
EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null;
ExecStart = pkgs.writeScript "acme-start" ''
#!${pkgs.runtimeShell} -e
${pkgs.lego}/bin/lego ${renewOpts} || ${pkgs.lego}/bin/lego ${runOpts}
'';
nixos/acme: implement postRun using ExecStartPost In 5532065d0690645f0a813fed6e68163b0f4774d4, acme was changed to be RemainAfterExit=true, but `postRun` commands are implemented as `ExecStopPost`. Systemd now considers the service to be still running after simp_le is finished, so won't run these commands (e.g. to reload certificates in a webserver). Change `postRun` to use `ExecStartPost` to ensure the commands are run in a timely manner.
2019-12-19 17:34:22 +00:00
ExecStartPost =
Fix letsencrypt (#60219) * nixos/acme: Fix ordering of cert requests When subsequent certificates would be added, they would not wake up nginx correctly due to target units only being triggered once. We now added more fine-grained systemd dependencies to make sure nginx always is aware of new certificates and doesn't restart too early resulting in a crash. Furthermore, the acme module has been refactored. Mostly to get rid of the deprecated PermissionStartOnly systemd options which were deprecated. Below is a summary of changes made. * Use SERVICE_RESULT to determine status This was added in systemd v232. we don't have to keep track of the EXITCODE ourselves anymore. * Add regression test for requesting mutliple domains * Deprecate 'directory' option We now use systemd's StateDirectory option to manage create and permissions of the acme state directory. * The webroot is created using a systemd.tmpfiles.rules rule instead of the preStart script. * Depend on certs directly By getting rid of the target units, we make sure ordering is correct in the case that you add new certs after already having deployed some. Reason it broke before: acme-certificates.target would be in active state, and if you then add a new cert, it would still be active and hence nginx would restart without even requesting a new cert. Not good! We make the dependencies more fine-grained now. this should fix that * Remove activationDelay option It complicated the code a lot, and is rather arbitrary. What if your activation script takes more than activationDelay seconds? Instead, one should use systemd dependencies to make sure some action happens before setting the certificate live. e.g. If you want to wait until your cert is published in DNS DANE / TLSA, you could create a unit that blocks until it appears in DNS: ``` RequiredBy=acme-${cert}.service After=acme-${cert}.service ExecStart=publish-wait-for-dns-script ```
2019-08-29 15:32:59 +01:00
let
nixos/acme: add dns-01 test, fix cert locating bug
2020-02-09 02:09:34 +00:00
keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
nixos/acme: implement postRun using ExecStartPost In 5532065d0690645f0a813fed6e68163b0f4774d4, acme was changed to be RemainAfterExit=true, but `postRun` commands are implemented as `ExecStopPost`. Systemd now considers the service to be still running after simp_le is finished, so won't run these commands (e.g. to reload certificates in a webserver). Change `postRun` to use `ExecStartPost` to ensure the commands are run in a timely manner.
2019-12-19 17:34:22 +00:00
script = pkgs.writeScript "acme-post-start" ''
Fix letsencrypt (#60219) * nixos/acme: Fix ordering of cert requests When subsequent certificates would be added, they would not wake up nginx correctly due to target units only being triggered once. We now added more fine-grained systemd dependencies to make sure nginx always is aware of new certificates and doesn't restart too early resulting in a crash. Furthermore, the acme module has been refactored. Mostly to get rid of the deprecated PermissionStartOnly systemd options which were deprecated. Below is a summary of changes made. * Use SERVICE_RESULT to determine status This was added in systemd v232. we don't have to keep track of the EXITCODE ourselves anymore. * Add regression test for requesting mutliple domains * Deprecate 'directory' option We now use systemd's StateDirectory option to manage create and permissions of the acme state directory. * The webroot is created using a systemd.tmpfiles.rules rule instead of the preStart script. * Depend on certs directly By getting rid of the target units, we make sure ordering is correct in the case that you add new certs after already having deployed some. Reason it broke before: acme-certificates.target would be in active state, and if you then add a new cert, it would still be active and hence nginx would restart without even requesting a new cert. Not good! We make the dependencies more fine-grained now. this should fix that * Remove activationDelay option It complicated the code a lot, and is rather arbitrary. What if your activation script takes more than activationDelay seconds? Instead, one should use systemd dependencies to make sure some action happens before setting the certificate live. e.g. If you want to wait until your cert is published in DNS DANE / TLSA, you could create a unit that blocks until it appears in DNS: ``` RequiredBy=acme-${cert}.service After=acme-${cert}.service ExecStart=publish-wait-for-dns-script ```
2019-08-29 15:32:59 +01:00
#!${pkgs.runtimeShell} -e
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
cd ${apath}
# Test that existing cert is older than new cert
nixos/acme: add dns-01 test, fix cert locating bug
2020-02-09 02:09:34 +00:00
KEY=${spath}/certificates/${keyName}.key
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
if [ -e $KEY -a $KEY -nt key.pem ]; then
nixos/acme: add dns-01 test, fix cert locating bug
2020-02-09 02:09:34 +00:00
cp -p ${spath}/certificates/${keyName}.key key.pem
nixos/acme: move the crt to fullchain.pem lego already bundles the chain with the certificate,[1] so the current code, designed for simp_le, was resulting in duplicate certificate chains, manifesting as "Chain issues: Incorrect order, Extra certs" on the Qualys SSL Server Test. cert.pem stays around as a symlink for backwards compatibility. [1] https://github.com/go-acme/lego/blob/5cdc0002e9abb2463fffc962dadc3479f72d7486/acme/api/certificate.go#L40-L44
2020-02-23 03:46:35 +00:00
cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
nixos/acme: add dns-01 test, fix cert locating bug
2020-02-09 02:09:34 +00:00
cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
nixos/acme: force symlink from fullchain.pem to cert.pem Co-authored-by: emily <vcs@emily.moe>
2020-03-04 09:48:50 +00:00
ln -sf fullchain.pem cert.pem
nixos/acme: move the crt to fullchain.pem lego already bundles the chain with the certificate,[1] so the current code, designed for simp_le, was resulting in duplicate certificate chains, manifesting as "Chain issues: Incorrect order, Extra certs" on the Qualys SSL Server Test. cert.pem stays around as a symlink for backwards compatibility. [1] https://github.com/go-acme/lego/blob/5cdc0002e9abb2463fffc962dadc3479f72d7486/acme/api/certificate.go#L40-L44
2020-02-23 03:46:35 +00:00
cat key.pem fullchain.pem > full.pem
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
fi
nixos/acme: apply chmod and ownership unconditionally Also separate directory and file permissions so the certificate files don't end up with the executable bit. Fixes #81335
2020-02-29 13:17:25 +00:00
chmod ${fileMode} *.pem
chown '${data.user}:${data.group}' *.pem
Fix letsencrypt (#60219) * nixos/acme: Fix ordering of cert requests When subsequent certificates would be added, they would not wake up nginx correctly due to target units only being triggered once. We now added more fine-grained systemd dependencies to make sure nginx always is aware of new certificates and doesn't restart too early resulting in a crash. Furthermore, the acme module has been refactored. Mostly to get rid of the deprecated PermissionStartOnly systemd options which were deprecated. Below is a summary of changes made. * Use SERVICE_RESULT to determine status This was added in systemd v232. we don't have to keep track of the EXITCODE ourselves anymore. * Add regression test for requesting mutliple domains * Deprecate 'directory' option We now use systemd's StateDirectory option to manage create and permissions of the acme state directory. * The webroot is created using a systemd.tmpfiles.rules rule instead of the preStart script. * Depend on certs directly By getting rid of the target units, we make sure ordering is correct in the case that you add new certs after already having deployed some. Reason it broke before: acme-certificates.target would be in active state, and if you then add a new cert, it would still be active and hence nginx would restart without even requesting a new cert. Not good! We make the dependencies more fine-grained now. this should fix that * Remove activationDelay option It complicated the code a lot, and is rather arbitrary. What if your activation script takes more than activationDelay seconds? Instead, one should use systemd dependencies to make sure some action happens before setting the certificate live. e.g. If you want to wait until your cert is published in DNS DANE / TLSA, you could create a unit that blocks until it appears in DNS: ``` RequiredBy=acme-${cert}.service After=acme-${cert}.service ExecStart=publish-wait-for-dns-script ```
2019-08-29 15:32:59 +01:00
${data.postRun}
'';
in
"+${script}";
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
};
Fix letsencrypt (#60219) * nixos/acme: Fix ordering of cert requests When subsequent certificates would be added, they would not wake up nginx correctly due to target units only being triggered once. We now added more fine-grained systemd dependencies to make sure nginx always is aware of new certificates and doesn't restart too early resulting in a crash. Furthermore, the acme module has been refactored. Mostly to get rid of the deprecated PermissionStartOnly systemd options which were deprecated. Below is a summary of changes made. * Use SERVICE_RESULT to determine status This was added in systemd v232. we don't have to keep track of the EXITCODE ourselves anymore. * Add regression test for requesting mutliple domains * Deprecate 'directory' option We now use systemd's StateDirectory option to manage create and permissions of the acme state directory. * The webroot is created using a systemd.tmpfiles.rules rule instead of the preStart script. * Depend on certs directly By getting rid of the target units, we make sure ordering is correct in the case that you add new certs after already having deployed some. Reason it broke before: acme-certificates.target would be in active state, and if you then add a new cert, it would still be active and hence nginx would restart without even requesting a new cert. Not good! We make the dependencies more fine-grained now. this should fix that * Remove activationDelay option It complicated the code a lot, and is rather arbitrary. What if your activation script takes more than activationDelay seconds? Instead, one should use systemd dependencies to make sure some action happens before setting the certificate live. e.g. If you want to wait until your cert is published in DNS DANE / TLSA, you could create a unit that blocks until it appears in DNS: ``` RequiredBy=acme-${cert}.service After=acme-${cert}.service ExecStart=publish-wait-for-dns-script ```
2019-08-29 15:32:59 +01:00
nixos/acme: Allow for time window between cert issue and activation
2017-11-19 15:41:28 +00:00
};
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
selfsignedService = {
description = "Create preliminary self-signed certificate for ${cert}";
acme service: generate a CA for self-signed certificate This is needed because simp_le expects two certificates in fullchain.pem, leading to error: > Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1. We now create a CA and sign the key with it instead, providing correct fullchain.pem. Also cleanup service a bit -- use PATH and a private temporary directory (which is more suitable).
2018-04-03 10:09:45 +01:00
path = [ pkgs.openssl ];
nixos/acme: Fix broken post-stop script Previously the script would contain an empty `if` block (which is invalid syntax) if both `data.activationDelay == null` and `data.postRun == ""`. Fix this by adding a no-op `true`.
2018-04-29 18:30:09 +01:00
script =
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
''
acme service: generate a CA for self-signed certificate This is needed because simp_le expects two certificates in fullchain.pem, leading to error: > Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1. We now create a CA and sign the key with it instead, providing correct fullchain.pem. Also cleanup service a bit -- use PATH and a private temporary directory (which is more suitable).
2018-04-03 10:09:45 +01:00
workdir="$(mktemp -d)"
# Create CA
acme module: fix self-signed cert with openssl 1.1
2018-05-23 23:52:05 +01:00
openssl genrsa -des3 -passout pass:xxxx -out $workdir/ca.pass.key 2048
openssl rsa -passin pass:xxxx -in $workdir/ca.pass.key -out $workdir/ca.key
acme service: generate a CA for self-signed certificate This is needed because simp_le expects two certificates in fullchain.pem, leading to error: > Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1. We now create a CA and sign the key with it instead, providing correct fullchain.pem. Also cleanup service a bit -- use PATH and a private temporary directory (which is more suitable).
2018-04-03 10:09:45 +01:00
openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \
-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com"
openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt
# Create key
acme module: fix self-signed cert with openssl 1.1
2018-05-23 23:52:05 +01:00
openssl genrsa -des3 -passout pass:xxxx -out $workdir/server.pass.key 2048
openssl rsa -passin pass:xxxx -in $workdir/server.pass.key -out $workdir/server.key
acme service: generate a CA for self-signed certificate This is needed because simp_le expects two certificates in fullchain.pem, leading to error: > Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1. We now create a CA and sign the key with it instead, providing correct fullchain.pem. Also cleanup service a bit -- use PATH and a private temporary directory (which is more suitable).
2018-04-03 10:09:45 +01:00
openssl req -new -key $workdir/server.key -out $workdir/server.csr \
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
acme service: generate a CA for self-signed certificate This is needed because simp_le expects two certificates in fullchain.pem, leading to error: > Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1. We now create a CA and sign the key with it instead, providing correct fullchain.pem. Also cleanup service a bit -- use PATH and a private temporary directory (which is more suitable).
2018-04-03 10:09:45 +01:00
openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \
-CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \
-out $workdir/server.crt
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
acme service: generate a CA for self-signed certificate This is needed because simp_le expects two certificates in fullchain.pem, leading to error: > Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1. We now create a CA and sign the key with it instead, providing correct fullchain.pem. Also cleanup service a bit -- use PATH and a private temporary directory (which is more suitable).
2018-04-03 10:09:45 +01:00
# Copy key to destination
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
cp $workdir/server.key ${apath}/key.pem
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
acme service: generate a CA for self-signed certificate This is needed because simp_le expects two certificates in fullchain.pem, leading to error: > Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1. We now create a CA and sign the key with it instead, providing correct fullchain.pem. Also cleanup service a bit -- use PATH and a private temporary directory (which is more suitable).
2018-04-03 10:09:45 +01:00
# Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates)
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
cat $workdir/{server.crt,ca.crt} > "${apath}/fullchain.pem"
nixos/acme: support "full.pem" (for lighttpd) * Create "full.pem" from selfsigned certificate * Tell simp_le to create "full.pem" * Inject service dependency between lighttpd and the generation of certificates Side note: According to the internet these servers also use the "full.pem" format: pound, ejabberd, pure-ftpd.
2017-06-07 20:38:01 +01:00
acme service: generate a CA for self-signed certificate This is needed because simp_le expects two certificates in fullchain.pem, leading to error: > Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1. We now create a CA and sign the key with it instead, providing correct fullchain.pem. Also cleanup service a bit -- use PATH and a private temporary directory (which is more suitable).
2018-04-03 10:09:45 +01:00
# Create full.pem for e.g. lighttpd
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
cat $workdir/{server.key,server.crt,ca.crt} > "${apath}/full.pem"
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
# Give key acme permissions
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem
nixos/acme: apply chmod and ownership unconditionally Also separate directory and file permissions so the certificate files don't end up with the executable bit. Fixes #81335
2020-02-29 13:17:25 +00:00
chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
'';
serviceConfig = {
Type = "oneshot";
acme service: generate a CA for self-signed certificate This is needed because simp_le expects two certificates in fullchain.pem, leading to error: > Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1. We now create a CA and sign the key with it instead, providing correct fullchain.pem. Also cleanup service a bit -- use PATH and a private temporary directory (which is more suitable).
2018-04-03 10:09:45 +01:00
PrivateTmp = true;
Fix letsencrypt (#60219) * nixos/acme: Fix ordering of cert requests When subsequent certificates would be added, they would not wake up nginx correctly due to target units only being triggered once. We now added more fine-grained systemd dependencies to make sure nginx always is aware of new certificates and doesn't restart too early resulting in a crash. Furthermore, the acme module has been refactored. Mostly to get rid of the deprecated PermissionStartOnly systemd options which were deprecated. Below is a summary of changes made. * Use SERVICE_RESULT to determine status This was added in systemd v232. we don't have to keep track of the EXITCODE ourselves anymore. * Add regression test for requesting mutliple domains * Deprecate 'directory' option We now use systemd's StateDirectory option to manage create and permissions of the acme state directory. * The webroot is created using a systemd.tmpfiles.rules rule instead of the preStart script. * Depend on certs directly By getting rid of the target units, we make sure ordering is correct in the case that you add new certs after already having deployed some. Reason it broke before: acme-certificates.target would be in active state, and if you then add a new cert, it would still be active and hence nginx would restart without even requesting a new cert. Not good! We make the dependencies more fine-grained now. this should fix that * Remove activationDelay option It complicated the code a lot, and is rather arbitrary. What if your activation script takes more than activationDelay seconds? Instead, one should use systemd dependencies to make sure some action happens before setting the certificate live. e.g. If you want to wait until your cert is published in DNS DANE / TLSA, you could create a unit that blocks until it appears in DNS: ``` RequiredBy=acme-${cert}.service After=acme-${cert}.service ExecStart=publish-wait-for-dns-script ```
2019-08-29 15:32:59 +01:00
StateDirectory = lpath;
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
User = data.user;
Group = data.group;
};
unitConfig = {
# Do not create self-signed key when key already exists
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
ConditionPathExists = "!${apath}/key.pem";
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
};
};
in (
[ { name = "acme-${cert}"; value = acmeService; } ]
nixos/acme: Allow for time window between cert issue and activation
2017-11-19 15:41:28 +00:00
++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; }
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
);
servicesAttr = listToAttrs services;
in
Fix letsencrypt (#60219) * nixos/acme: Fix ordering of cert requests When subsequent certificates would be added, they would not wake up nginx correctly due to target units only being triggered once. We now added more fine-grained systemd dependencies to make sure nginx always is aware of new certificates and doesn't restart too early resulting in a crash. Furthermore, the acme module has been refactored. Mostly to get rid of the deprecated PermissionStartOnly systemd options which were deprecated. Below is a summary of changes made. * Use SERVICE_RESULT to determine status This was added in systemd v232. we don't have to keep track of the EXITCODE ourselves anymore. * Add regression test for requesting mutliple domains * Deprecate 'directory' option We now use systemd's StateDirectory option to manage create and permissions of the acme state directory. * The webroot is created using a systemd.tmpfiles.rules rule instead of the preStart script. * Depend on certs directly By getting rid of the target units, we make sure ordering is correct in the case that you add new certs after already having deployed some. Reason it broke before: acme-certificates.target would be in active state, and if you then add a new cert, it would still be active and hence nginx would restart without even requesting a new cert. Not good! We make the dependencies more fine-grained now. this should fix that * Remove activationDelay option It complicated the code a lot, and is rather arbitrary. What if your activation script takes more than activationDelay seconds? Instead, one should use systemd dependencies to make sure some action happens before setting the certificate live. e.g. If you want to wait until your cert is published in DNS DANE / TLSA, you could create a unit that blocks until it appears in DNS: ``` RequiredBy=acme-${cert}.service After=acme-${cert}.service ExecStart=publish-wait-for-dns-script ```
2019-08-29 15:32:59 +01:00
servicesAttr;
systemd.tmpfiles.rules =
nixos/acme: ignore tmpfiles rules for null webroots
2020-01-15 09:17:11 +00:00
map (data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}") (filter (data: data.webroot != null) (attrValues cfg.certs));
nixos/acme: Add module documentation
2015-12-12 15:06:24 +00:00
nixos/acme: adjust renewal timer options The current weekly setting causes every NixOS server to try to renew its certificate at midnight on the dot on Monday. This contributes to the general problem of periodic load spikes for Let's Encrypt; NixOS is probably not a major contributor to that problem, but we can lead by example by picking good defaults here. The values here were chosen after consulting with @yuriks, an SRE at Let's Encrypt: * Randomize the time certificates are renewed within a 24 hour period. * Check for renewal every 24 hours, to ensure the certificate is always renewed before an expiry notice is sent out. * Increase the AccuracySec (thus lowering the accuracy(!)), so that systemd can coalesce the renewal with other timers being run. (You might be worried that this would defeat the purpose of the time skewing, but systemd is documented as avoiding this by picking a random time.)
2020-02-23 01:46:46 +00:00
systemd.timers = let
# Allow systemd to pick a convenient time within the day
# to run the check.
# This allows the coalescing of multiple timer jobs.
# We divide by the number of certificates so that if you
# have many certificates, the renewals are distributed over
# the course of the day to avoid rate limits.
numCerts = length (attrNames cfg.certs);
_24hSecs = 60 * 60 * 24;
AccuracySec = "${toString (_24hSecs / numCerts)}s";
in flip mapAttrs' cfg.certs (cert: data: nameValuePair
nixos/acme: Add module documentation
2015-12-12 15:06:24 +00:00
("acme-${cert}")
({
acme.nix: Fix unit descriptions Unit descriptions should be capitalized, and timer units don't have to describe that they're timers.
2016-04-18 10:52:31 +01:00
description = "Renew ACME Certificate for ${cert}";
nixos/acme: Add module documentation
2015-12-12 15:06:24 +00:00
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.renewInterval;
nixos/acme: fix timer unit
2015-12-13 13:53:59 +00:00
Unit = "acme-${cert}.service";
nixos.acme: make timer persistent This makes sure that if the system was powered off when the timer was supposed to trigger, it will run the next time the system boots up.
2016-08-10 18:37:11 +01:00
Persistent = "yes";
nixos/acme: adjust renewal timer options The current weekly setting causes every NixOS server to try to renew its certificate at midnight on the dot on Monday. This contributes to the general problem of periodic load spikes for Let's Encrypt; NixOS is probably not a major contributor to that problem, but we can lead by example by picking good defaults here. The values here were chosen after consulting with @yuriks, an SRE at Let's Encrypt: * Randomize the time certificates are renewed within a 24 hour period. * Check for renewal every 24 hours, to ensure the certificate is always renewed before an expiry notice is sent out. * Increase the AccuracySec (thus lowering the accuracy(!)), so that systemd can coalesce the renewal with other timers being run. (You might be worried that this would defeat the purpose of the time skewing, but systemd is documented as avoiding this by picking a random time.)
2020-02-23 01:46:46 +00:00
inherit AccuracySec;
# Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
RandomizedDelaySec = "24h";
nixos/acme: Add module documentation
2015-12-12 15:06:24 +00:00
};
})
);
acme: added option `security.acme.preliminarySelfsigned` (#15562)
2016-06-01 11:39:46 +01:00
treewide: remove redundant quotes
2019-08-13 22:52:01 +01:00
systemd.targets.acme-selfsigned-certificates = mkIf cfg.preliminarySelfsigned {};
systemd.targets.acme-certificates = {};
nixos/acme: Add module documentation
2015-12-12 15:06:24 +00:00
})
];
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
modules: move meta at top level
2016-05-09 06:53:27 +01:00
meta = {
nixos/acme: replace simp-le with lego client Lego allows users to use the DNS-01 challenge to validate their certificates. It is mostly backwards compatible, with a few caveats. - extraDomains can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for account creation The following other changes were required: - Deprecate security.acme.certs.<name>.plugins, as this was specific to simp-le - Rename security.acme.validMin to validMinDays, to avoid confusion and errors. Lego requires the TTL to be specified in days - Add options to cover DNS challenge (dnsProvider, credentialsFile, dnsPropagationCheck) - A shared state directory is now used (/var/lib/acme/.lego) to avoid account creation rate limits and share credentials between certs
2020-01-12 21:05:57 +00:00
maintainers = with lib.maintainers; [ abbradar fpletz globin m1cr0man ];
modules: move meta at top level
2016-05-09 06:53:27 +01:00
doc = ./acme.xml;
};
simp_le service: letsencrypt cert auto-renewal This new service invokes `simp_le` for a defined set of certs on a regular basis with a systemd timer. `simp_le` is smart enough to handle account registration, domain validation and renewal on its own. The only thing required is an existing HTTP server that serves the path `/.well-known/acme-challenge` from the webroot cert parameter. Example: services.simp_le.certs."foo.example.com" = { webroot = "/var/www/challenges"; extraDomains = [ "www.example.com" ]; email = "foo@example.com"; validMin = 2592000; renewInterval = "weekly"; }; Example Nginx vhost: services.nginx.appendConfig = '' http { server { server_name _; listen 80; listen [::]:80; location /.well-known/acme-challenge { root /var/www/challenges; } location / { return 301 https://$host$request_uri; } } } '';
2015-12-06 15:55:09 +00:00
}
Reference in New Issue Copy Permalink