nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-25 08:23:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/web-servers: assert ACME cert access via service user and groups

Browse Source 
Allows giving access using SupplementaryGroups.
This commit is contained in:
ThinkChaos 2024-08-24 19:18:07 -04:00
parent 03122b43c8
commit 3c2e82337d
No known key found for this signature in database
4 changed files with 28 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nixos/modules/security/acme/mk-cert-ownership-assertion.nix
View File

@ -1,4 +1,21 @@
{ cert, group, groups, user }: { lib:
assertion = cert.group == group || builtins.any (u: u == user) groups.${cert.group}.members;
message = "Group for certificate ${cert.domain} must be ${group}, or user ${user} must be a member of group ${cert.group}"; { cert, groups, services }:
let
catSep = builtins.concatStringsSep;
svcGroups = svc:
(lib.optional (svc.serviceConfig ? Group) svc.serviceConfig.Group)
++ (svc.serviceConfig.SupplementaryGroups or [ ]);
in
{
assertion = builtins.all (svc:
svc.serviceConfig.User or "root" == "root"
|| builtins.elem svc.serviceConfig.User groups.${cert.group}.members
|| builtins.elem cert.group (svcGroups svc)
) services;
message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${
catSep ", " (map (svc: "${svc.name} (user=${svc.serviceConfig.User} groups=${catSep " " (svcGroups svc)})") services)
}";
} }

6
nixos/modules/services/web-servers/apache-httpd/default.nix
View File

@ -373,7 +373,7 @@ let
echo "$options" >> $out echo "$options" >> $out
''; '';
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;
in in
@ -643,9 +643,9 @@ in
''; '';
} }
] ++ map (name: mkCertOwnershipAssertion { ] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name}; cert = config.security.acme.certs.${name};
groups = config.users.groups; groups = config.users.groups;
services = [ config.systemd.services.httpd ] ++ lib.optional (vhostCertNames != []) config.systemd.services.httpd-config-reload;
}) vhostCertNames; }) vhostCertNames;
warnings = warnings =
@ -795,7 +795,7 @@ in
systemd.services.httpd-config-reload = let systemd.services.httpd-config-reload = let
sslServices = map (certName: "acme-${certName}.service") vhostCertNames; sslServices = map (certName: "acme-${certName}.service") vhostCertNames;
sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames; sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames;
in mkIf (sslServices != []) { in mkIf (vhostCertNames != []) {
wantedBy = sslServices ++ [ "multi-user.target" ]; wantedBy = sslServices ++ [ "multi-user.target" ];
# Before the finished targets, after the renew services. # Before the finished targets, after the renew services.
# This service might be needed for HTTP-01 challenges, but we only want to confirm # This service might be needed for HTTP-01 challenges, but we only want to confirm

4
nixos/modules/services/web-servers/caddy/default.nix
View File

@ -55,7 +55,7 @@ let
configPath = "/etc/${etcConfigFile}"; configPath = "/etc/${etcConfigFile}";
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;
in in
{ {
imports = [ imports = [
@ -331,9 +331,9 @@ in
message = "To specify an adapter other than 'caddyfile' please provide your own configuration via `services.caddy.configFile`"; message = "To specify an adapter other than 'caddyfile' please provide your own configuration via `services.caddy.configFile`";
} }
] ++ map (name: mkCertOwnershipAssertion { ] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name}; cert = config.security.acme.certs.${name};
groups = config.users.groups; groups = config.users.groups;
services = [ config.systemd.services.caddy ];
}) vhostCertNames; }) vhostCertNames;
services.caddy.globalConfig = '' services.caddy.globalConfig = ''

6
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -473,7 +473,7 @@ let
'') authDef) '') authDef)
); );
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;
oldHTTP2 = (versionOlder cfg.package.version "1.25.1" && !(cfg.package.pname == "angie" || cfg.package.pname == "angieQuic")); oldHTTP2 = (versionOlder cfg.package.version "1.25.1" && !(cfg.package.pname == "angie" || cfg.package.pname == "angieQuic"));
in in
@ -1211,9 +1211,9 @@ in
''; '';
} }
] ++ map (name: mkCertOwnershipAssertion { ] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name}; cert = config.security.acme.certs.${name};
groups = config.users.groups; groups = config.users.groups;
services = [ config.systemd.services.nginx ] ++ lib.optional (cfg.enableReload || vhostCertNames != []) config.systemd.services.nginx-config-reload;
}) vhostCertNames; }) vhostCertNames;
services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli
@ -1322,7 +1322,7 @@ in
systemd.services.nginx-config-reload = let systemd.services.nginx-config-reload = let
sslServices = map (certName: "acme-${certName}.service") vhostCertNames; sslServices = map (certName: "acme-${certName}.service") vhostCertNames;
sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames; sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames;
in mkIf (cfg.enableReload || sslServices != []) { in mkIf (cfg.enableReload || vhostCertNames != []) {
wants = optionals cfg.enableReload [ "nginx.service" ]; wants = optionals cfg.enableReload [ "nginx.service" ];
wantedBy = sslServices ++ [ "multi-user.target" ]; wantedBy = sslServices ++ [ "multi-user.target" ];
# Before the finished targets, after the renew services. # Before the finished targets, after the renew services.