Loading nixos/modules/security/acme/mk-cert-ownership-assertion.nix +20 −3 Original line number Diff line number Diff line { cert, group, groups, user }: { assertion = cert.group == group || builtins.any (u: u == user) groups.${cert.group}.members; message = "Group for certificate ${cert.domain} must be ${group}, or user ${user} must be a member of group ${cert.group}"; lib: { cert, groups, services }: let catSep = builtins.concatStringsSep; svcGroups = svc: (lib.optional (svc.serviceConfig ? Group) svc.serviceConfig.Group) ++ (svc.serviceConfig.SupplementaryGroups or [ ]); in { assertion = builtins.all (svc: svc.serviceConfig.User or "root" == "root" || builtins.elem svc.serviceConfig.User groups.${cert.group}.members || builtins.elem cert.group (svcGroups svc) ) services; message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${ catSep ", " (map (svc: "${svc.name} (user=${svc.serviceConfig.User} groups=${catSep " " (svcGroups svc)})") services) }"; } nixos/modules/services/web-servers/apache-httpd/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -373,7 +373,7 @@ let echo "$options" >> $out ''; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib; in Loading Loading @@ -643,9 +643,9 @@ in ''; } ] ++ map (name: mkCertOwnershipAssertion { inherit (cfg) group user; cert = config.security.acme.certs.${name}; groups = config.users.groups; services = [ config.systemd.services.httpd ] ++ lib.optional (vhostCertNames != []) config.systemd.services.httpd-config-reload; }) vhostCertNames; warnings = Loading Loading @@ -795,7 +795,7 @@ in systemd.services.httpd-config-reload = let sslServices = map (certName: "acme-${certName}.service") vhostCertNames; sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames; in mkIf (sslServices != []) { in mkIf (vhostCertNames != []) { wantedBy = sslServices ++ [ "multi-user.target" ]; # Before the finished targets, after the renew services. # This service might be needed for HTTP-01 challenges, but we only want to confirm Loading nixos/modules/services/web-servers/caddy/default.nix +2 −2 Original line number Diff line number Diff line Loading @@ -55,7 +55,7 @@ let configPath = "/etc/${etcConfigFile}"; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib; in { imports = [ Loading Loading @@ -331,9 +331,9 @@ in message = "To specify an adapter other than 'caddyfile' please provide your own configuration via `services.caddy.configFile`"; } ] ++ map (name: mkCertOwnershipAssertion { inherit (cfg) group user; cert = config.security.acme.certs.${name}; groups = config.users.groups; services = [ config.systemd.services.caddy ]; }) vhostCertNames; services.caddy.globalConfig = '' Loading nixos/modules/services/web-servers/nginx/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -473,7 +473,7 @@ let '') authDef) ); mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib; oldHTTP2 = (versionOlder cfg.package.version "1.25.1" && !(cfg.package.pname == "angie" || cfg.package.pname == "angieQuic")); in Loading Loading @@ -1211,9 +1211,9 @@ in ''; } ] ++ map (name: mkCertOwnershipAssertion { inherit (cfg) group user; cert = config.security.acme.certs.${name}; groups = config.users.groups; services = [ config.systemd.services.nginx ] ++ lib.optional (cfg.enableReload || vhostCertNames != []) config.systemd.services.nginx-config-reload; }) vhostCertNames; services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli Loading Loading @@ -1322,7 +1322,7 @@ in systemd.services.nginx-config-reload = let sslServices = map (certName: "acme-${certName}.service") vhostCertNames; sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames; in mkIf (cfg.enableReload || sslServices != []) { in mkIf (cfg.enableReload || vhostCertNames != []) { wants = optionals cfg.enableReload [ "nginx.service" ]; wantedBy = sslServices ++ [ "multi-user.target" ]; # Before the finished targets, after the renew services. Loading Loading
nixos/modules/security/acme/mk-cert-ownership-assertion.nix +20 −3 Original line number Diff line number Diff line { cert, group, groups, user }: { assertion = cert.group == group || builtins.any (u: u == user) groups.${cert.group}.members; message = "Group for certificate ${cert.domain} must be ${group}, or user ${user} must be a member of group ${cert.group}"; lib: { cert, groups, services }: let catSep = builtins.concatStringsSep; svcGroups = svc: (lib.optional (svc.serviceConfig ? Group) svc.serviceConfig.Group) ++ (svc.serviceConfig.SupplementaryGroups or [ ]); in { assertion = builtins.all (svc: svc.serviceConfig.User or "root" == "root" || builtins.elem svc.serviceConfig.User groups.${cert.group}.members || builtins.elem cert.group (svcGroups svc) ) services; message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${ catSep ", " (map (svc: "${svc.name} (user=${svc.serviceConfig.User} groups=${catSep " " (svcGroups svc)})") services) }"; }
nixos/modules/services/web-servers/apache-httpd/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -373,7 +373,7 @@ let echo "$options" >> $out ''; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib; in Loading Loading @@ -643,9 +643,9 @@ in ''; } ] ++ map (name: mkCertOwnershipAssertion { inherit (cfg) group user; cert = config.security.acme.certs.${name}; groups = config.users.groups; services = [ config.systemd.services.httpd ] ++ lib.optional (vhostCertNames != []) config.systemd.services.httpd-config-reload; }) vhostCertNames; warnings = Loading Loading @@ -795,7 +795,7 @@ in systemd.services.httpd-config-reload = let sslServices = map (certName: "acme-${certName}.service") vhostCertNames; sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames; in mkIf (sslServices != []) { in mkIf (vhostCertNames != []) { wantedBy = sslServices ++ [ "multi-user.target" ]; # Before the finished targets, after the renew services. # This service might be needed for HTTP-01 challenges, but we only want to confirm Loading
nixos/modules/services/web-servers/caddy/default.nix +2 −2 Original line number Diff line number Diff line Loading @@ -55,7 +55,7 @@ let configPath = "/etc/${etcConfigFile}"; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib; in { imports = [ Loading Loading @@ -331,9 +331,9 @@ in message = "To specify an adapter other than 'caddyfile' please provide your own configuration via `services.caddy.configFile`"; } ] ++ map (name: mkCertOwnershipAssertion { inherit (cfg) group user; cert = config.security.acme.certs.${name}; groups = config.users.groups; services = [ config.systemd.services.caddy ]; }) vhostCertNames; services.caddy.globalConfig = '' Loading
nixos/modules/services/web-servers/nginx/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -473,7 +473,7 @@ let '') authDef) ); mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib; oldHTTP2 = (versionOlder cfg.package.version "1.25.1" && !(cfg.package.pname == "angie" || cfg.package.pname == "angieQuic")); in Loading Loading @@ -1211,9 +1211,9 @@ in ''; } ] ++ map (name: mkCertOwnershipAssertion { inherit (cfg) group user; cert = config.security.acme.certs.${name}; groups = config.users.groups; services = [ config.systemd.services.nginx ] ++ lib.optional (cfg.enableReload || vhostCertNames != []) config.systemd.services.nginx-config-reload; }) vhostCertNames; services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli Loading Loading @@ -1322,7 +1322,7 @@ in systemd.services.nginx-config-reload = let sslServices = map (certName: "acme-${certName}.service") vhostCertNames; sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames; in mkIf (cfg.enableReload || sslServices != []) { in mkIf (cfg.enableReload || vhostCertNames != []) { wants = optionals cfg.enableReload [ "nginx.service" ]; wantedBy = sslServices ++ [ "multi-user.target" ]; # Before the finished targets, after the renew services. Loading
