2020-06-19 21:27:46 +02:00
|
|
|
{ config, lib, pkgs, options, ... }:
|
2015-12-06 16:55:09 +01:00
|
|
|
with lib;
|
|
|
|
let
|
2015-12-11 17:42:17 +01:00
|
|
|
cfg = config.security.acme;
|
2015-12-06 16:55:09 +01:00
|
|
|
|
2020-06-19 21:27:46 +02:00
|
|
|
# Used to calculate timer accuracy for coalescing
|
|
|
|
numCerts = length (builtins.attrNames cfg.certs);
|
|
|
|
_24hSecs = 60 * 60 * 24;
|
|
|
|
|
2020-12-13 21:22:33 +01:00
|
|
|
# Used to make unique paths for each cert/account config set
|
|
|
|
mkHash = with builtins; val: substring 0 20 (hashString "sha256" val);
|
|
|
|
mkAccountHash = acmeServer: data: mkHash "${toString acmeServer} ${data.keyType} ${data.email}";
|
|
|
|
accountDirRoot = "/var/lib/acme/.lego/accounts/";
|
|
|
|
|
2020-06-19 21:27:46 +02:00
|
|
|
# There are many services required to make cert renewals work.
|
|
|
|
# They all follow a common structure:
|
|
|
|
# - They inherit this commonServiceConfig
|
|
|
|
# - They all run as the acme user
|
|
|
|
# - They all use BindPath and StateDirectory where possible
|
|
|
|
# to set up a sort of build environment in /tmp
|
|
|
|
# The Group can vary depending on what the user has specified in
|
|
|
|
# security.acme.certs.<cert>.group on some of the services.
|
|
|
|
commonServiceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
User = "acme";
|
|
|
|
Group = mkDefault "acme";
|
|
|
|
UMask = 0027;
|
|
|
|
StateDirectoryMode = 750;
|
|
|
|
ProtectSystem = "full";
|
|
|
|
PrivateTmp = true;
|
|
|
|
|
|
|
|
WorkingDirectory = "/tmp";
|
|
|
|
};
|
|
|
|
|
|
|
|
# In order to avoid race conditions creating the CA for selfsigned certs,
|
|
|
|
# we have a separate service which will create the necessary files.
|
|
|
|
selfsignCAService = {
|
|
|
|
description = "Generate self-signed certificate authority";
|
|
|
|
|
|
|
|
path = with pkgs; [ minica ];
|
|
|
|
|
|
|
|
unitConfig = {
|
|
|
|
ConditionPathExists = "!/var/lib/acme/.minica/key.pem";
|
|
|
|
};
|
|
|
|
|
|
|
|
serviceConfig = commonServiceConfig // {
|
|
|
|
StateDirectory = "acme/.minica";
|
|
|
|
BindPaths = "/var/lib/acme/.minica:/tmp/ca";
|
|
|
|
};
|
|
|
|
|
|
|
|
# Working directory will be /tmp
|
|
|
|
script = ''
|
|
|
|
minica \
|
|
|
|
--ca-key ca/key.pem \
|
|
|
|
--ca-cert ca/cert.pem \
|
|
|
|
--domains selfsigned.local
|
|
|
|
|
|
|
|
chmod 600 ca/*
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2020-12-13 23:19:53 +01:00
|
|
|
# Ensures that directories which are shared across all certs
|
|
|
|
# exist and have the correct user and group, since group
|
|
|
|
# is configurable on a per-cert basis.
|
2020-06-19 21:27:46 +02:00
|
|
|
userMigrationService = {
|
|
|
|
description = "Fix owner and group of all ACME certificates";
|
|
|
|
|
|
|
|
script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: ''
|
|
|
|
for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do
|
|
|
|
if [ -d "$fixpath" ]; then
|
2020-10-22 15:04:31 +02:00
|
|
|
chmod -R u=rwX,g=rX,o= "$fixpath"
|
2020-06-19 21:27:46 +02:00
|
|
|
chown -R acme:${data.group} "$fixpath"
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
'') certConfigs);
|
|
|
|
|
2020-12-13 23:19:53 +01:00
|
|
|
serviceConfig = {
|
|
|
|
# We don't want this to run every time a renewal happens
|
|
|
|
RemainAfterExit = true;
|
|
|
|
|
|
|
|
# These StateDirectory entries negate the need for tmpfiles
|
|
|
|
StateDirectory = "acme acme/.lego acme/.lego/accounts";
|
|
|
|
};
|
2020-06-19 21:27:46 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
certToConfig = cert: data: let
|
|
|
|
acmeServer = if data.server != null then data.server else cfg.server;
|
|
|
|
useDns = data.dnsProvider != null;
|
|
|
|
destPath = "/var/lib/acme/${cert}";
|
2020-09-05 00:39:22 +02:00
|
|
|
selfsignedDeps = optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];
|
2020-06-19 21:27:46 +02:00
|
|
|
|
|
|
|
# Minica and lego have a "feature" which replaces * with _. We need
|
|
|
|
# to make this substitution to reference the output files from both programs.
|
|
|
|
# End users never see this since we rename the certs.
|
|
|
|
keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
|
|
|
|
|
|
|
|
# FIXME when mkChangedOptionModule supports submodules, change to that.
|
|
|
|
# This is a workaround
|
|
|
|
extraDomains = data.extraDomainNames ++ (
|
|
|
|
optionals
|
|
|
|
(data.extraDomains != "_mkMergedOptionModule")
|
|
|
|
(builtins.attrNames data.extraDomains)
|
|
|
|
);
|
|
|
|
|
|
|
|
# Create hashes for cert data directories based on configuration
|
2020-09-05 00:39:22 +02:00
|
|
|
# Flags are separated to avoid collisions
|
2020-06-19 21:27:46 +02:00
|
|
|
hashData = with builtins; ''
|
2020-09-05 00:39:22 +02:00
|
|
|
${concatStringsSep " " data.extraLegoFlags} -
|
|
|
|
${concatStringsSep " " data.extraLegoRunFlags} -
|
|
|
|
${concatStringsSep " " data.extraLegoRenewFlags} -
|
2020-06-19 21:27:46 +02:00
|
|
|
${toString acmeServer} ${toString data.dnsProvider}
|
2020-09-05 00:39:22 +02:00
|
|
|
${toString data.ocspMustStaple} ${data.keyType}
|
2020-06-19 21:27:46 +02:00
|
|
|
'';
|
|
|
|
certDir = mkHash hashData;
|
2020-09-05 00:39:22 +02:00
|
|
|
domainHash = mkHash "${concatStringsSep " " extraDomains} ${data.domain}";
|
2020-12-13 21:22:33 +01:00
|
|
|
accountHash = (mkAccountHash acmeServer data);
|
|
|
|
accountDir = accountDirRoot + accountHash;
|
2020-06-19 21:27:46 +02:00
|
|
|
|
|
|
|
protocolOpts = if useDns then (
|
|
|
|
[ "--dns" data.dnsProvider ]
|
|
|
|
++ optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ]
|
2020-10-07 13:01:08 +02:00
|
|
|
++ optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ]
|
2020-06-19 21:27:46 +02:00
|
|
|
) else (
|
|
|
|
[ "--http" "--http.webroot" data.webroot ]
|
|
|
|
);
|
|
|
|
|
|
|
|
commonOpts = [
|
|
|
|
"--accept-tos" # Checking the option is covered by the assertions
|
|
|
|
"--path" "."
|
|
|
|
"-d" data.domain
|
|
|
|
"--email" data.email
|
|
|
|
"--key-type" data.keyType
|
|
|
|
] ++ protocolOpts
|
|
|
|
++ optionals (acmeServer != null) [ "--server" acmeServer ]
|
|
|
|
++ concatMap (name: [ "-d" name ]) extraDomains
|
|
|
|
++ data.extraLegoFlags;
|
|
|
|
|
2020-10-06 22:52:49 +02:00
|
|
|
# Although --must-staple is common to both modes, it is not declared as a
|
|
|
|
# mode-agnostic argument in lego and thus must come after the mode.
|
2020-06-19 21:27:46 +02:00
|
|
|
runOpts = escapeShellArgs (
|
|
|
|
commonOpts
|
|
|
|
++ [ "run" ]
|
2020-10-06 22:52:49 +02:00
|
|
|
++ optionals data.ocspMustStaple [ "--must-staple" ]
|
2020-06-19 21:27:46 +02:00
|
|
|
++ data.extraLegoRunFlags
|
|
|
|
);
|
|
|
|
renewOpts = escapeShellArgs (
|
|
|
|
commonOpts
|
2020-09-05 00:39:22 +02:00
|
|
|
++ [ "renew" "--reuse-key" ]
|
2020-10-06 22:52:49 +02:00
|
|
|
++ optionals data.ocspMustStaple [ "--must-staple" ]
|
2020-06-19 21:27:46 +02:00
|
|
|
++ data.extraLegoRenewFlags
|
|
|
|
);
|
|
|
|
|
|
|
|
in {
|
2020-12-13 23:19:53 +01:00
|
|
|
inherit accountHash cert selfsignedDeps;
|
2020-06-19 21:27:46 +02:00
|
|
|
|
|
|
|
webroot = data.webroot;
|
|
|
|
group = data.group;
|
|
|
|
|
|
|
|
renewTimer = {
|
|
|
|
description = "Renew ACME Certificate for ${cert}";
|
|
|
|
wantedBy = [ "timers.target" ];
|
|
|
|
timerConfig = {
|
|
|
|
OnCalendar = cfg.renewInterval;
|
|
|
|
Unit = "acme-${cert}.service";
|
|
|
|
Persistent = "yes";
|
|
|
|
|
|
|
|
# Allow systemd to pick a convenient time within the day
|
|
|
|
# to run the check.
|
|
|
|
# This allows the coalescing of multiple timer jobs.
|
|
|
|
# We divide by the number of certificates so that if you
|
|
|
|
# have many certificates, the renewals are distributed over
|
|
|
|
# the course of the day to avoid rate limits.
|
|
|
|
AccuracySec = "${toString (_24hSecs / numCerts)}s";
|
|
|
|
|
|
|
|
# Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
|
|
|
|
RandomizedDelaySec = "24h";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
selfsignService = {
|
|
|
|
description = "Generate self-signed certificate for ${cert}";
|
|
|
|
after = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ];
|
2020-09-04 19:48:47 +02:00
|
|
|
requires = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ];
|
2020-06-19 21:27:46 +02:00
|
|
|
|
|
|
|
path = with pkgs; [ minica ];
|
|
|
|
|
|
|
|
unitConfig = {
|
|
|
|
ConditionPathExists = "!/var/lib/acme/${cert}/key.pem";
|
|
|
|
};
|
|
|
|
|
|
|
|
serviceConfig = commonServiceConfig // {
|
|
|
|
Group = data.group;
|
|
|
|
|
|
|
|
StateDirectory = "acme/${cert}";
|
|
|
|
|
|
|
|
BindPaths = "/var/lib/acme/.minica:/tmp/ca /var/lib/acme/${cert}:/tmp/${keyName}";
|
|
|
|
};
|
|
|
|
|
|
|
|
# Working directory will be /tmp
|
|
|
|
# minica will output to a folder sharing the name of the first domain
|
|
|
|
# in the list, which will be ${data.domain}
|
|
|
|
script = ''
|
|
|
|
minica \
|
|
|
|
--ca-key ca/key.pem \
|
|
|
|
--ca-cert ca/cert.pem \
|
|
|
|
--domains ${escapeShellArg (builtins.concatStringsSep "," ([ data.domain ] ++ extraDomains))}
|
|
|
|
|
|
|
|
# Create files to match directory layout for real certificates
|
|
|
|
cd '${keyName}'
|
|
|
|
cp ../ca/cert.pem chain.pem
|
|
|
|
cat cert.pem chain.pem > fullchain.pem
|
|
|
|
cat key.pem fullchain.pem > full.pem
|
|
|
|
|
|
|
|
chmod 640 *
|
|
|
|
|
|
|
|
# Group might change between runs, re-apply it
|
|
|
|
chown 'acme:${data.group}' *
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
renewService = {
|
|
|
|
description = "Renew ACME certificate for ${cert}";
|
2020-10-06 22:52:55 +02:00
|
|
|
after = [ "network.target" "network-online.target" "acme-fixperms.service" "nss-lookup.target" ] ++ selfsignedDeps;
|
2020-09-05 00:39:22 +02:00
|
|
|
wants = [ "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps;
|
2020-06-19 21:27:46 +02:00
|
|
|
|
|
|
|
# https://github.com/NixOS/nixpkgs/pull/81371#issuecomment-605526099
|
|
|
|
wantedBy = optionals (!config.boot.isContainer) [ "multi-user.target" ];
|
|
|
|
|
2020-09-03 16:31:06 +02:00
|
|
|
path = with pkgs; [ lego coreutils diffutils ];
|
2020-06-19 21:27:46 +02:00
|
|
|
|
|
|
|
serviceConfig = commonServiceConfig // {
|
|
|
|
Group = data.group;
|
|
|
|
|
2020-12-13 23:19:53 +01:00
|
|
|
# Keep in mind that these directories will be deleted if the user runs
|
|
|
|
# systemctl clean --what=state
|
|
|
|
# acme/.lego/${cert} is listed for this reason.
|
|
|
|
StateDirectory =
|
|
|
|
"acme/${cert} " +
|
|
|
|
"acme/.lego/${cert} " +
|
|
|
|
"acme/.lego/${cert}/${certDir} " +
|
|
|
|
"acme/.lego/accounts/${accountHash} ";
|
2020-06-19 21:27:46 +02:00
|
|
|
|
|
|
|
# Needs to be space separated, but can't use a multiline string because that'll include newlines
|
|
|
|
BindPaths =
|
|
|
|
"${accountDir}:/tmp/accounts " +
|
|
|
|
"/var/lib/acme/${cert}:/tmp/out " +
|
2020-09-03 16:31:06 +02:00
|
|
|
"/var/lib/acme/.lego/${cert}/${certDir}:/tmp/certificates ";
|
2020-06-19 21:27:46 +02:00
|
|
|
|
|
|
|
# Only try loading the credentialsFile if the dns challenge is enabled
|
|
|
|
EnvironmentFile = mkIf useDns data.credentialsFile;
|
2020-09-04 19:48:47 +02:00
|
|
|
|
|
|
|
# Run as root (Prefixed with +)
|
|
|
|
ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" ''
|
|
|
|
cd /var/lib/acme/${escapeShellArg cert}
|
|
|
|
if [ -e renewed ]; then
|
|
|
|
rm renewed
|
|
|
|
${data.postRun}
|
|
|
|
fi
|
|
|
|
'');
|
2020-06-19 21:27:46 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
# Working directory will be /tmp
|
|
|
|
script = ''
|
|
|
|
set -euo pipefail
|
|
|
|
|
2020-09-05 00:39:22 +02:00
|
|
|
echo '${domainHash}' > domainhash.txt
|
|
|
|
|
2020-06-19 21:27:46 +02:00
|
|
|
# Check if we can renew
|
2020-12-13 21:22:33 +01:00
|
|
|
if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(ls -1 accounts)" ]; then
|
2020-09-05 00:39:22 +02:00
|
|
|
|
|
|
|
# When domains are updated, there's no need to do a full
|
|
|
|
# Lego run, but it's likely renew won't work if days is too low.
|
|
|
|
if [ -e certificates/domainhash.txt ] && cmp -s domainhash.txt certificates/domainhash.txt; then
|
|
|
|
lego ${renewOpts} --days ${toString cfg.validMinDays}
|
|
|
|
else
|
|
|
|
# Any number > 90 works, but this one is over 9000 ;-)
|
|
|
|
lego ${renewOpts} --days 9001
|
|
|
|
fi
|
2020-06-19 21:27:46 +02:00
|
|
|
|
|
|
|
# Otherwise do a full run
|
|
|
|
else
|
|
|
|
lego ${runOpts}
|
|
|
|
fi
|
|
|
|
|
2020-09-05 00:39:22 +02:00
|
|
|
mv domainhash.txt certificates/
|
2020-06-19 21:27:46 +02:00
|
|
|
chmod 640 certificates/*
|
2020-10-22 15:04:31 +02:00
|
|
|
chmod -R u=rwX,g=,o= accounts/*
|
2020-06-19 21:27:46 +02:00
|
|
|
|
|
|
|
# Group might change between runs, re-apply it
|
|
|
|
chown 'acme:${data.group}' certificates/*
|
|
|
|
|
|
|
|
# Copy all certs to the "real" certs directory
|
|
|
|
CERT='certificates/${keyName}.crt'
|
2020-09-03 16:31:06 +02:00
|
|
|
if [ -e "$CERT" ] && ! cmp -s "$CERT" out/fullchain.pem; then
|
2020-09-04 19:48:47 +02:00
|
|
|
touch out/renewed
|
2020-09-03 16:31:06 +02:00
|
|
|
echo Installing new certificate
|
|
|
|
cp -vp 'certificates/${keyName}.crt' out/fullchain.pem
|
|
|
|
cp -vp 'certificates/${keyName}.key' out/key.pem
|
|
|
|
cp -vp 'certificates/${keyName}.issuer.crt' out/chain.pem
|
2020-06-19 21:27:46 +02:00
|
|
|
ln -sf fullchain.pem out/cert.pem
|
|
|
|
cat out/key.pem out/fullchain.pem > out/full.pem
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
certConfigs = mapAttrs certToConfig cfg.certs;
|
|
|
|
|
2018-02-06 22:08:57 +01:00
|
|
|
certOpts = { name, ... }: {
|
2015-12-06 16:55:09 +01:00
|
|
|
options = {
|
2020-06-19 21:27:46 +02:00
|
|
|
# user option has been removed
|
|
|
|
user = mkOption {
|
|
|
|
visible = false;
|
|
|
|
default = "_mkRemovedOptionModule";
|
|
|
|
};
|
|
|
|
|
|
|
|
# allowKeysForGroup option has been removed
|
|
|
|
allowKeysForGroup = mkOption {
|
|
|
|
visible = false;
|
|
|
|
default = "_mkRemovedOptionModule";
|
|
|
|
};
|
|
|
|
|
|
|
|
# extraDomains was replaced with extraDomainNames
|
|
|
|
extraDomains = mkOption {
|
|
|
|
visible = false;
|
|
|
|
default = "_mkMergedOptionModule";
|
|
|
|
};
|
|
|
|
|
2015-12-06 16:55:09 +01:00
|
|
|
webroot = mkOption {
|
2020-01-15 10:17:11 +01:00
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
2018-02-06 22:08:57 +01:00
|
|
|
example = "/var/lib/acme/acme-challenges";
|
2015-12-08 19:09:19 +01:00
|
|
|
description = ''
|
|
|
|
Where the webroot of the HTTP vhost is located.
|
|
|
|
<filename>.well-known/acme-challenge/</filename> directory
|
2017-06-08 08:46:40 +02:00
|
|
|
will be created below the webroot if it doesn't exist.
|
2015-12-08 19:09:19 +01:00
|
|
|
<literal>http://example.org/.well-known/acme-challenge/</literal> must also
|
|
|
|
be available (notice unencrypted HTTP).
|
|
|
|
'';
|
2015-12-06 16:55:09 +01:00
|
|
|
};
|
|
|
|
|
2019-10-26 00:40:51 +02:00
|
|
|
server = mkOption {
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
|
|
|
description = ''
|
2020-04-21 15:39:46 +02:00
|
|
|
ACME Directory Resource URI. Defaults to Let's Encrypt's
|
2019-10-26 00:40:51 +02:00
|
|
|
production endpoint,
|
2020-04-21 15:39:46 +02:00
|
|
|
<link xlink:href="https://acme-v02.api.letsencrypt.org/directory"/>, if unset.
|
2019-10-26 00:40:51 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-04-11 18:28:05 +02:00
|
|
|
domain = mkOption {
|
2018-02-06 22:08:57 +01:00
|
|
|
type = types.str;
|
|
|
|
default = name;
|
2020-04-21 15:39:46 +02:00
|
|
|
description = "Domain to fetch certificate for (defaults to the entry name).";
|
2017-04-11 18:28:05 +02:00
|
|
|
};
|
|
|
|
|
2015-12-06 16:55:09 +01:00
|
|
|
email = mkOption {
|
|
|
|
type = types.nullOr types.str;
|
2020-02-03 22:37:22 +01:00
|
|
|
default = cfg.email;
|
2015-12-06 16:55:09 +01:00
|
|
|
description = "Contact email address for the CA to be able to reach you.";
|
|
|
|
};
|
|
|
|
|
2015-12-08 19:09:19 +01:00
|
|
|
group = mkOption {
|
|
|
|
type = types.str;
|
2020-06-19 21:27:46 +02:00
|
|
|
default = "acme";
|
2015-12-11 17:42:17 +01:00
|
|
|
description = "Group running the ACME client.";
|
2015-12-08 19:09:19 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
postRun = mkOption {
|
|
|
|
type = types.lines;
|
|
|
|
default = "";
|
2020-06-19 21:27:46 +02:00
|
|
|
example = "cp full.pem backup.pem";
|
2015-12-08 19:09:19 +01:00
|
|
|
description = ''
|
2020-06-19 21:27:46 +02:00
|
|
|
Commands to run after new certificates go live. Note that
|
2020-09-04 19:48:47 +02:00
|
|
|
these commands run as the root user.
|
2017-11-19 16:41:28 +01:00
|
|
|
|
|
|
|
Executed in the same directory with the new certificate.
|
2015-12-08 19:09:19 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2019-08-29 16:32:59 +02:00
|
|
|
directory = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
readOnly = true;
|
|
|
|
default = "/var/lib/acme/${name}";
|
|
|
|
description = "Directory where certificate and other state is stored.";
|
2017-11-19 16:41:28 +01:00
|
|
|
};
|
|
|
|
|
2020-06-19 21:27:46 +02:00
|
|
|
extraDomainNames = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [];
|
2017-06-08 08:46:40 +02:00
|
|
|
example = literalExample ''
|
2020-06-19 21:27:46 +02:00
|
|
|
[
|
|
|
|
"example.org"
|
|
|
|
"mydomain.org"
|
|
|
|
]
|
2017-06-08 08:46:40 +02:00
|
|
|
'';
|
2015-12-08 19:09:19 +01:00
|
|
|
description = ''
|
2020-04-29 21:31:17 +02:00
|
|
|
A list of extra domain names, which are included in the one certificate to be issued.
|
2015-12-08 19:09:19 +01:00
|
|
|
'';
|
2015-12-06 16:55:09 +01:00
|
|
|
};
|
2020-01-12 22:05:57 +01:00
|
|
|
|
2020-01-19 19:24:04 +01:00
|
|
|
keyType = mkOption {
|
|
|
|
type = types.str;
|
nixos/acme: change default keyType to ec256
Previously, the NixOS ACME module defaulted to using P-384 for
TLS certificates. I believe that this is a mistake, and that we
should use P-256 instead, despite it being theoretically
cryptographically weaker.
The security margin of a 256-bit elliptic curve cipher is substantial;
beyond a certain level, more bits in the key serve more to slow things
down than add meaningful protection. It's much more likely that ECDSA
will be broken entirely, or some fatal flaw will be found in the NIST
curves that makes them all insecure, than that the security margin
will be reduced enough to put P-256 at risk but not P-384. It's also
inconsistent to target a curve with a 192-bit security margin when our
recommended nginx TLS configuration allows 128-bit AES. [This Stack
Exchange answer][pornin] by cryptographer Thomas Pornin conveys the
general attitude among experts:
> Use P-256 to minimize trouble. If you feel that your manhood is
> threatened by using a 256-bit curve where a 384-bit curve is
> available, then use P-384: it will increases your computational and
> network costs (a factor of about 3 for CPU, a few extra dozen bytes
> on the network) but this is likely to be negligible in practice (in a
> SSL-powered Web server, the heavy cost is in "Web", not "SSL").
[pornin]: https://security.stackexchange.com/a/78624
While the NIST curves have many flaws (see [SafeCurves][safecurves]),
P-256 and P-384 are no different in this respect; SafeCurves gives
them the same rating. The only NIST curve Bernstein [thinks better of,
P-521][bernstein] (see "Other standard primes"), isn't usable for Web
PKI (it's [not supported by BoringSSL by default][boringssl] and hence
[doesn't work in Chromium/Chrome][chromium], and Let's Encrypt [don't
support it either][letsencrypt]).
[safecurves]: https://safecurves.cr.yp.to/
[bernstein]: https://blog.cr.yp.to/20140323-ecdsa.html
[boringssl]: https://boringssl.googlesource.com/boringssl/+/e9fc3e547e557492316932b62881c3386973ceb2
[chromium]: https://bugs.chromium.org/p/chromium/issues/detail?id=478225
[letsencrypt]: https://letsencrypt.org/docs/integration-guide/#supported-key-algorithms
So there's no real benefit to using P-384; what's the cost? In the
Stack Exchange answer I linked, Pornin estimates a factor of 3×
CPU usage, which wouldn't be so bad; unfortunately, this is wildly
optimistic in practice, as P-256 is much more common and therefore
much better optimized. [This GitHub comment][openssl] measures the
performance differential for raw Diffie-Hellman operations with OpenSSL
1.1.1 at a whopping 14× (even P-521 fares better!); [Caddy disables
P-384 by default][caddy] due to Go's [lack of accelerated assembly
implementations][crypto/elliptic] for it, and the difference there seems
even more extreme: [this golang-nuts post][golang-nuts] measures the key
generation performance differential at 275×. It's unlikely to be the
bottleneck for anyone, but I still feel kind of bad for anyone having
lego generate hundreds of certificates and sign challenges with them
with performance like that...
[openssl]: https://github.com/mozilla/server-side-tls/issues/190#issuecomment-421831599
[caddy]: https://github.com/caddyserver/caddy/blob/2cab475ba516fa725d012f53ca417c3e039607de/modules/caddytls/values.go#L113-L124
[crypto/elliptic]: https://github.com/golang/go/tree/2910c5b4a01a573ebc97744890a07c1a3122c67a/src/crypto/elliptic
[golang-nuts]: https://groups.google.com/forum/#!topic/golang-nuts/nlnJkBMMyzk
In conclusion, there's no real reason to use P-384 in general: if you
don't care about Web PKI compatibility and want to use a nicer curve,
then Ed25519 or P-521 are better options; if you're a NIST-fearing
paranoiac, you should use good old RSA; but if you're a normal person
running a web server, then you're best served by just using P-256. Right
now, NixOS makes an arbitrary decision between two equally-mediocre
curves that just so happens to slow down ECDH key agreement for every
TLS connection by over an order of magnitude; this commit fixes that.
Unfortunately, it seems like existing P-384 certificates won't get
migrated automatically on renewal without manual intervention, but
that's a more general problem with the existing ACME module (see #81634;
I know @yegortimoshenko is working on this). To migrate your
certificates manually, run:
$ sudo find /var/lib/acme/.lego/certificates -type f -delete
$ sudo find /var/lib/acme -name '*.pem' -delete
$ sudo systemctl restart 'acme-*.service' nginx.service
(No warranty. If it breaks, you get to keep both pieces. But it worked
for me.)
2020-03-22 06:27:20 +01:00
|
|
|
default = "ec256";
|
2020-01-19 19:24:04 +01:00
|
|
|
description = ''
|
|
|
|
Key type to use for private keys.
|
|
|
|
For an up to date list of supported values check the --key-type option
|
2020-04-21 15:39:46 +02:00
|
|
|
at <link xlink:href="https://go-acme.github.io/lego/usage/cli/#usage"/>.
|
2020-01-19 19:24:04 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2020-01-12 22:05:57 +01:00
|
|
|
dnsProvider = mkOption {
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
2020-01-15 10:17:11 +01:00
|
|
|
example = "route53";
|
2020-01-19 19:24:04 +01:00
|
|
|
description = ''
|
|
|
|
DNS Challenge provider. For a list of supported providers, see the "code"
|
2020-04-21 15:39:46 +02:00
|
|
|
field of the DNS providers listed at <link xlink:href="https://go-acme.github.io/lego/dns/"/>.
|
2020-01-19 19:24:04 +01:00
|
|
|
'';
|
2020-01-12 22:05:57 +01:00
|
|
|
};
|
|
|
|
|
2020-10-07 13:01:08 +02:00
|
|
|
dnsResolver = mkOption {
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
|
|
|
example = "1.1.1.1:53";
|
|
|
|
description = ''
|
|
|
|
Set the resolver to use for performing recursive DNS queries. Supported:
|
|
|
|
host:port. The default is to use the system resolvers, or Google's DNS
|
|
|
|
resolvers if the system's cannot be determined.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2020-01-12 22:05:57 +01:00
|
|
|
credentialsFile = mkOption {
|
2020-01-19 19:24:04 +01:00
|
|
|
type = types.path;
|
2020-01-12 22:05:57 +01:00
|
|
|
description = ''
|
2020-01-19 19:24:04 +01:00
|
|
|
Path to an EnvironmentFile for the cert's service containing any required and
|
|
|
|
optional environment variables for your selected dnsProvider.
|
|
|
|
To find out what values you need to set, consult the documentation at
|
2020-04-21 15:39:46 +02:00
|
|
|
<link xlink:href="https://go-acme.github.io/lego/dns/"/> for the corresponding dnsProvider.
|
2020-01-12 22:05:57 +01:00
|
|
|
'';
|
|
|
|
example = "/var/src/secrets/example.org-route53-api-token";
|
|
|
|
};
|
|
|
|
|
|
|
|
dnsPropagationCheck = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
2020-01-19 19:24:04 +01:00
|
|
|
Toggles lego DNS propagation check, which is used alongside DNS-01
|
|
|
|
challenge to ensure the DNS entries required are available.
|
2020-01-12 22:05:57 +01:00
|
|
|
'';
|
|
|
|
};
|
2020-02-23 02:51:19 +01:00
|
|
|
|
|
|
|
ocspMustStaple = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Turns on the OCSP Must-Staple TLS extension.
|
|
|
|
Make sure you know what you're doing! See:
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem>
|
|
|
|
<listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
'';
|
|
|
|
};
|
2020-02-23 03:02:44 +01:00
|
|
|
|
2020-06-08 02:17:55 +02:00
|
|
|
extraLegoFlags = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [];
|
|
|
|
description = ''
|
|
|
|
Additional global flags to pass to all lego commands.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2020-02-23 03:02:44 +01:00
|
|
|
extraLegoRenewFlags = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [];
|
|
|
|
description = ''
|
|
|
|
Additional flags to pass to lego renew.
|
|
|
|
'';
|
|
|
|
};
|
2020-06-08 02:18:31 +02:00
|
|
|
|
|
|
|
extraLegoRunFlags = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [];
|
|
|
|
description = ''
|
|
|
|
Additional flags to pass to lego run.
|
|
|
|
'';
|
|
|
|
};
|
2015-12-06 16:55:09 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2020-06-19 21:27:46 +02:00
|
|
|
in {
|
2019-10-26 00:40:51 +02:00
|
|
|
|
2015-12-06 16:55:09 +01:00
|
|
|
options = {
|
2015-12-11 17:42:17 +01:00
|
|
|
security.acme = {
|
2015-12-06 16:55:09 +01:00
|
|
|
|
2020-01-12 22:05:57 +01:00
|
|
|
validMinDays = mkOption {
|
2015-12-12 14:21:44 +01:00
|
|
|
type = types.int;
|
2020-01-12 22:05:57 +01:00
|
|
|
default = 30;
|
|
|
|
description = "Minimum remaining validity before renewal in days.";
|
|
|
|
};
|
|
|
|
|
|
|
|
email = mkOption {
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
|
|
|
description = "Contact email address for the CA to be able to reach you.";
|
2015-12-12 14:21:44 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
renewInterval = mkOption {
|
|
|
|
type = types.str;
|
2020-02-23 02:46:46 +01:00
|
|
|
default = "daily";
|
2015-12-12 14:21:44 +01:00
|
|
|
description = ''
|
|
|
|
Systemd calendar expression when to check for renewal. See
|
|
|
|
<citerefentry><refentrytitle>systemd.time</refentrytitle>
|
2017-03-21 08:27:56 +01:00
|
|
|
<manvolnum>7</manvolnum></citerefentry>.
|
2015-12-12 14:21:44 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2019-10-26 00:40:51 +02:00
|
|
|
server = mkOption {
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
|
|
|
description = ''
|
2020-04-21 15:39:46 +02:00
|
|
|
ACME Directory Resource URI. Defaults to Let's Encrypt's
|
2019-10-26 00:40:51 +02:00
|
|
|
production endpoint,
|
2020-04-21 15:39:46 +02:00
|
|
|
<link xlink:href="https://acme-v02.api.letsencrypt.org/directory"/>, if unset.
|
2019-10-26 00:40:51 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2016-06-01 12:39:46 +02:00
|
|
|
preliminarySelfsigned = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Whether a preliminary self-signed certificate should be generated before
|
|
|
|
doing ACME requests. This can be useful when certificates are required in
|
|
|
|
a webserver, but ACME needs the webserver to make its requests.
|
|
|
|
|
|
|
|
With preliminary self-signed certificate the webserver can be started and
|
|
|
|
can later reload the correct ACME certificates.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2020-01-12 22:05:57 +01:00
|
|
|
acceptTerms = mkOption {
|
|
|
|
type = types.bool;
|
2020-01-19 19:24:04 +01:00
|
|
|
default = false;
|
2020-01-12 22:05:57 +01:00
|
|
|
description = ''
|
2020-04-21 15:39:46 +02:00
|
|
|
Accept the CA's terms of service. The default provider is Let's Encrypt,
|
|
|
|
you can find their ToS at <link xlink:href="https://letsencrypt.org/repository/"/>.
|
2020-01-12 22:05:57 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2015-12-06 16:55:09 +01:00
|
|
|
certs = mkOption {
|
|
|
|
default = { };
|
2016-11-16 08:28:27 +01:00
|
|
|
type = with types; attrsOf (submodule certOpts);
|
2015-12-06 16:55:09 +01:00
|
|
|
description = ''
|
2019-08-29 16:32:59 +02:00
|
|
|
Attribute set of certificates to get signed and renewed. Creates
|
|
|
|
<literal>acme-''${cert}.{service,timer}</literal> systemd units for
|
|
|
|
each certificate defined here. Other services can add dependencies
|
|
|
|
to those units if they rely on the certificates being present,
|
|
|
|
or trigger restarts of the service if certificates get renewed.
|
2015-12-06 16:55:09 +01:00
|
|
|
'';
|
2017-06-08 08:46:40 +02:00
|
|
|
example = literalExample ''
|
|
|
|
{
|
|
|
|
"example.com" = {
|
|
|
|
webroot = "/var/www/challenges/";
|
|
|
|
email = "foo@example.com";
|
2020-06-19 21:27:46 +02:00
|
|
|
extraDomainNames = [ "www.example.com" "foo.example.com" ];
|
2017-06-08 08:46:40 +02:00
|
|
|
};
|
|
|
|
"bar.example.com" = {
|
|
|
|
webroot = "/var/www/challenges/";
|
|
|
|
email = "bar@example.com";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
'';
|
2015-12-06 16:55:09 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2020-06-19 21:27:46 +02:00
|
|
|
imports = [
|
|
|
|
(mkRemovedOptionModule [ "security" "acme" "production" ] ''
|
|
|
|
Use security.acme.server to define your staging ACME server URL instead.
|
|
|
|
|
|
|
|
To use the let's encrypt staging server, use security.acme.server =
|
|
|
|
"https://acme-staging-v02.api.letsencrypt.org/directory".
|
|
|
|
''
|
|
|
|
)
|
|
|
|
(mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
|
|
|
|
(mkRemovedOptionModule [ "security" "acme" "preDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
|
|
|
|
(mkRemovedOptionModule [ "security" "acme" "activationDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
|
|
|
|
(mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))
|
|
|
|
];
|
|
|
|
|
2015-12-12 16:06:24 +01:00
|
|
|
config = mkMerge [
|
|
|
|
(mkIf (cfg.certs != { }) {
|
|
|
|
|
2020-06-19 21:27:46 +02:00
|
|
|
# FIXME Most of these custom warnings and filters for security.acme.certs.* are required
|
|
|
|
# because using mkRemovedOptionModule/mkChangedOptionModule with attrsets isn't possible.
|
|
|
|
warnings = filter (w: w != "") (mapAttrsToList (cert: data: if data.extraDomains != "_mkMergedOptionModule" then ''
|
|
|
|
The option definition `security.acme.certs.${cert}.extraDomains` has changed
|
|
|
|
to `security.acme.certs.${cert}.extraDomainNames` and is now a list of strings.
|
|
|
|
Setting a custom webroot for extra domains is not possible, instead use separate certs.
|
|
|
|
'' else "") cfg.certs);
|
|
|
|
|
2020-01-12 22:05:57 +01:00
|
|
|
assertions = let
|
2020-06-19 21:27:46 +02:00
|
|
|
certs = attrValues cfg.certs;
|
2020-01-12 22:05:57 +01:00
|
|
|
in [
|
|
|
|
{
|
|
|
|
assertion = cfg.email != null || all (certOpts: certOpts.email != null) certs;
|
|
|
|
message = ''
|
|
|
|
You must define `security.acme.certs.<name>.email` or
|
2020-06-19 21:27:46 +02:00
|
|
|
`security.acme.email` to register with the CA. Note that using
|
|
|
|
many different addresses for certs may trigger account rate limits.
|
2020-01-12 22:05:57 +01:00
|
|
|
'';
|
|
|
|
}
|
2020-01-19 19:24:04 +01:00
|
|
|
{
|
|
|
|
assertion = cfg.acceptTerms;
|
|
|
|
message = ''
|
|
|
|
You must accept the CA's terms of service before using
|
|
|
|
the ACME module by setting `security.acme.acceptTerms`
|
|
|
|
to `true`. For Let's Encrypt's ToS see https://letsencrypt.org/repository/
|
|
|
|
'';
|
|
|
|
}
|
2020-06-19 21:27:46 +02:00
|
|
|
] ++ (builtins.concatLists (mapAttrsToList (cert: data: [
|
|
|
|
{
|
|
|
|
assertion = data.user == "_mkRemovedOptionModule";
|
|
|
|
message = ''
|
|
|
|
The option definition `security.acme.certs.${cert}.user' no longer has any effect; Please remove it.
|
|
|
|
Certificate user is now hard coded to the "acme" user. If you would
|
|
|
|
like another user to have access, consider adding them to the
|
|
|
|
"acme" group or changing security.acme.certs.${cert}.group.
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
{
|
|
|
|
assertion = data.allowKeysForGroup == "_mkRemovedOptionModule";
|
|
|
|
message = ''
|
|
|
|
The option definition `security.acme.certs.${cert}.allowKeysForGroup' no longer has any effect; Please remove it.
|
|
|
|
All certs are readable by the configured group. If this is undesired,
|
|
|
|
consider changing security.acme.certs.${cert}.group to an unused group.
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
# * in the cert value breaks building of systemd services, and makes
|
|
|
|
# referencing them as a user quite weird too. Best practice is to use
|
|
|
|
# the domain option.
|
|
|
|
{
|
|
|
|
assertion = ! hasInfix "*" cert;
|
|
|
|
message = ''
|
|
|
|
The cert option path `security.acme.certs.${cert}.dnsProvider`
|
|
|
|
cannot contain a * character.
|
|
|
|
Instead, set `security.acme.certs.${cert}.domain = "${cert}";`
|
|
|
|
and remove the wildcard from the path.
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
{
|
|
|
|
assertion = data.dnsProvider == null || data.webroot == null;
|
|
|
|
message = ''
|
|
|
|
Options `security.acme.certs.${cert}.dnsProvider` and
|
|
|
|
`security.acme.certs.${cert}.webroot` are mutually exclusive.
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
]) cfg.certs));
|
2015-12-12 16:06:24 +01:00
|
|
|
|
2020-06-19 21:27:46 +02:00
|
|
|
users.users.acme = {
|
|
|
|
home = "/var/lib/acme";
|
|
|
|
group = "acme";
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
users.groups.acme = {};
|
|
|
|
|
|
|
|
systemd.services = {
|
|
|
|
"acme-fixperms" = userMigrationService;
|
|
|
|
} // (mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewService) certConfigs)
|
|
|
|
// (optionalAttrs (cfg.preliminarySelfsigned) ({
|
|
|
|
"acme-selfsigned-ca" = selfsignCAService;
|
|
|
|
} // (mapAttrs' (cert: conf: nameValuePair "acme-selfsigned-${cert}" conf.selfsignService) certConfigs)));
|
|
|
|
|
|
|
|
systemd.timers = mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewTimer) certConfigs;
|
|
|
|
|
2020-12-13 23:19:53 +01:00
|
|
|
systemd.tmpfiles.rules = unique (
|
|
|
|
flatten (
|
|
|
|
mapAttrsToList (
|
|
|
|
cert: conf:
|
|
|
|
optional (conf.webroot != null) "d ${conf.webroot}/.well-known/acme-challenge - acme ${conf.group}"
|
|
|
|
) certConfigs
|
|
|
|
)
|
|
|
|
);
|
2020-06-19 21:27:46 +02:00
|
|
|
|
2020-12-13 21:22:33 +01:00
|
|
|
systemd.targets = let
|
|
|
|
# Create some targets which can be depended on to be "active" after cert renewals
|
|
|
|
finishedTargets = mapAttrs' (cert: conf: nameValuePair "acme-finished-${cert}" {
|
|
|
|
wantedBy = [ "default.target" ];
|
|
|
|
requires = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
|
|
|
|
after = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
|
|
|
|
}) certConfigs;
|
|
|
|
|
|
|
|
# Create targets to limit the number of simultaneous account creations
|
|
|
|
accountTargets = mapAttrs' (hash: confs: let
|
|
|
|
leader = "acme-${(builtins.head confs).cert}.service";
|
|
|
|
dependantServices = map (conf: "acme-${conf.cert}.service") (builtins.tail confs);
|
|
|
|
in nameValuePair "acme-account-${hash}" {
|
|
|
|
requiredBy = dependantServices;
|
|
|
|
before = dependantServices;
|
|
|
|
requires = [ leader ];
|
|
|
|
after = [ leader ];
|
|
|
|
}) (groupBy (conf: conf.accountHash) (attrValues certConfigs));
|
|
|
|
in finishedTargets // accountTargets;
|
2020-06-19 21:27:46 +02:00
|
|
|
})
|
2015-12-12 16:06:24 +01:00
|
|
|
];
|
2015-12-06 16:55:09 +01:00
|
|
|
|
2016-05-09 07:53:27 +02:00
|
|
|
meta = {
|
2020-04-20 02:36:13 +02:00
|
|
|
maintainers = lib.teams.acme.members;
|
2016-05-09 07:53:27 +02:00
|
|
|
doc = ./acme.xml;
|
|
|
|
};
|
2015-12-06 16:55:09 +01:00
|
|
|
}
|