make TLS certs usable by both guix' and host's daemons

3 files changed, 33 insertions, 9 deletions

diff --git a/Makefile b/Makefile
index 27034d7..5f9b51b 100644
--- a/Makefile
+++ b/Makefile
@@ -67,6 +67,7 @@ sample-malcontent:
 		"$$(realpath $@)" | \
 		make -C subrepos/hydrilla shell-with-haketilo
 
+LETSENCRYPT_ETC_DIR = $(TEST_ROOT_DIR)/etc/letsencrypt
 HYDRILLA_WEBSITE_ETC_DIR = $(TEST_ROOT_DIR)/etc/guix-container/hydrilla-website
 MALCONTENT_DIR = $(TEST_ROOT_DIR)/var/lib/hydrilla/malcontent_dirs
 GITOLITE_DIR = $(TEST_ROOT_DIR)/var/lib/gitolite3
@@ -86,6 +87,11 @@ prepare-test-root: sample-malcontent
 	done
 	@# Prepare replacement `/var/log`
 	mkdir -p $(TEST_ROOT_DIR)/var/log
+	@# Prepare replacement `/etc/letsencrypt`
+	mkdir --mode=755 -p $(LETSENCRYPT_ETC_DIR)
+	printf 'test secret\n' > $(LETSENCRYPT_ETC_DIR)/dummy-keys-and-stuff.txt
+	chmod 540 $(LETSENCRYPT_ETC_DIR)/dummy-keys-and-stuff.txt
+	chgrp 1001 $(LETSENCRYPT_ETC_DIR)/dummy-keys-and-stuff.txt
 	@# Prepare replacement `/etc`
 	mkdir --mode=750 -p $(HYDRILLA_WEBSITE_ETC_DIR)
 	printf 'test non-secret\n' > $(HYDRILLA_WEBSITE_ETC_DIR)/secret.txt
diff --git a/container.scm b/container.scm
index 5eead94..7af2a25 100644
--- a/container.scm
+++ b/container.scm
@@ -368,8 +368,15 @@
 (define %koszko-httpd-deploy-hook
   (program-file
    "httpd-deploy-hook"
-   #~(let ((pid (call-with-input-file "/var/run/httpd" read)))
-       (kill pid SIGHUP))))
+   #~(begin
+       (for-each (lambda (subdir)
+                   (system* "chgrp" "-R" "certsaccess"
+                            (string-append "/etc/letsencrypt/" subdir)))
+                 '("live" "archive"))
+       (system* "find" "/etc/letsencrypt/archive/" "-name" "privkey1.pem"
+                "-exec" "chmod" "640" "{}" ";")
+       (kill (call-with-input-file "/var/run/httpd" read)
+             SIGHUP))))
 
 (define %certbot-token-filename-gexp
   #~(format #f "/srv/http/acme-challenge/~a" (getenv "CERTBOT_TOKEN")))
@@ -403,6 +410,7 @@
                  (service-type-extensions certbot-service-type))))
    (certbot-configuration
     (email "koszko@koszko.org")
+    (rsa-key-size 4096)
     (certificates
      (map
       (match-lambda
@@ -410,8 +418,9 @@
          (let ((www-aliases (map (cut string-append "www." <>)
                                  (if auto-www-aliases name-and-aliases '()))))
            (certificate-configuration
-            (challenge "http")
+            (name (string-append "guixbot_" (car name-and-aliases)))
             (domains (append name-and-aliases www-aliases))
+            (challenge "http")
             (authentication-hook %koszko-certbot-auth-hook)
             (cleanup-hook %koszko-certbot-cleanup-hook)
             (deploy-hook %koszko-httpd-deploy-hook)))))
@@ -421,9 +430,9 @@
   (host-name "koszko")
   (timezone "Europe/Warsaw")
   (groups (cons*
-           ;; The `httpd` and `gitolite3` groups must have explicit ids so that
-           ;; the host can provide files that are readable by Apache and not
-           ;; readable by the world.
+           ;; Some groups must have explicit ids so that the host can provide
+           ;; files that are readable by certain daemons and not readable by the
+           ;; world.
            (user-group
             (name "httpd")
             (id 133)
@@ -432,15 +441,21 @@
             (name "gitolite3")
             (id 118)
             (system? #t))
+           (user-group
+            (name "certsaccess")
+            (id 1001)
+            (system? #t))
            %base-groups))
   (users (cons*
           (user-account
            (name "httpd")
            (group "httpd")
-           (supplementary-groups '("gitolite3"))
+           (supplementary-groups '("gitolite3" "certsaccess"))
            (system? #t))
-          ;; the gitolite user must also have an id that matches the respective
-          ;; host user's one
+          ;; The gitolite user must also have an id that matches the respective
+          ;; host user's one — otherwise the cgit CGI process floods logs with
+          ;; an error about being unable to determine permissions of some
+          ;; files...
           (user-account
            (name "gitolite3")
            (group "gitolite3")
diff --git a/guix-container.sh b/guix-container.sh
index 8a358b8..902ee94 100755
--- a/guix-container.sh
+++ b/guix-container.sh
@@ -99,6 +99,7 @@ start() {
     HYDRILLA_HTTP_REAL="$HOST_SYSTEM_ROOT"/var/www/hydrilla.koszko.org/html
     HYDRILLAREPOS_HTTP_REAL="$HOST_SYSTEM_ROOT"/var/www/hydrillarepos.koszko.org/html
     LOG_REAL="$LOG_DIR"/container
+    ETC_LETSENCRYPT_REAL="$HOST_SYSTEM_ROOT"/etc/letsencrypt
     ETC_REAL="$HOST_SYSTEM_ROOT"/etc/guix-container
     VAR_HYDRILLA_REAL="$HOST_SYSTEM_ROOT"/var/lib/hydrilla
     VAR_GITOLITE_REAL="$HOST_SYSTEM_ROOT"/var/lib/gitolite3
@@ -107,6 +108,7 @@ start() {
     HYDRILLA_HTTP_DIR_SHARE_OPT=--share="$HYDRILLA_HTTP_REAL"=/srv/http/hydrilla.koszko.org
     HYDRILLAREPOS_HTTP_DIR_SHARE_OPT=--share="$HYDRILLAREPOS_HTTP_REAL"=/srv/http/hydrillarepos.koszko.org
     LOG_DIR_SHARE_OPT=--share="$LOG_REAL"=/var/log
+    ETC_LETSENCRYPT_DIR_SHARE_OPT=--share="$ETC_LETSENCRYPT_REAL"=/etc/letsencrypt
     ETC_DIR_SHARE_OPT=--share="$ETC_REAL"=/etc
     VAR_HYDRILLA_DIR_SHARE_OPT=--share="$VAR_HYDRILLA_REAL"=/var/lib/hydrilla
     VAR_GITOLITE_DIR_SHARE_OPT=--share="$VAR_GITOLITE_REAL"=/var/lib/gitolite3
@@ -118,6 +120,7 @@ start() {
                   "$HYDRILLA_HTTP_DIR_SHARE_OPT"                       \
                   "$HYDRILLAREPOS_HTTP_DIR_SHARE_OPT"                  \
                   "$LOG_DIR_SHARE_OPT"                                 \
+                  "$ETC_LETSENCRYPT_DIR_SHARE_OPT"                     \
                   "$ETC_DIR_SHARE_OPT"                                 \
                   "$VAR_HYDRILLA_DIR_SHARE_OPT"                        \
                   "$VAR_GITOLITE_DIR_SHARE_OPT"                        \