aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2023-05-03 21:12:43 +0200
committerWojtek Kosior <koszko@koszko.org>2023-05-03 21:52:45 +0200
commit75af5d1e53c8564767589bd0978fe5255f44394b (patch)
treef9be2216d9a4e5dc4db2fca0e943b8ea395bc339
parent73cc7aac7d7bd5ee01cad2b9ed34af31345bde3d (diff)
downloadkoszko-org-server-75af5d1e53c8564767589bd0978fe5255f44394b.tar.gz
koszko-org-server-75af5d1e53c8564767589bd0978fe5255f44394b.zip
make TLS certs usable by both guix' and host's daemons
-rw-r--r--Makefile6
-rw-r--r--container.scm33
-rwxr-xr-xguix-container.sh3
3 files changed, 33 insertions, 9 deletions
diff --git a/Makefile b/Makefile
index 27034d7..5f9b51b 100644
--- a/Makefile
+++ b/Makefile
@@ -67,6 +67,7 @@ sample-malcontent:
"$$(realpath $@)" | \
make -C subrepos/hydrilla shell-with-haketilo
+LETSENCRYPT_ETC_DIR = $(TEST_ROOT_DIR)/etc/letsencrypt
HYDRILLA_WEBSITE_ETC_DIR = $(TEST_ROOT_DIR)/etc/guix-container/hydrilla-website
MALCONTENT_DIR = $(TEST_ROOT_DIR)/var/lib/hydrilla/malcontent_dirs
GITOLITE_DIR = $(TEST_ROOT_DIR)/var/lib/gitolite3
@@ -86,6 +87,11 @@ prepare-test-root: sample-malcontent
done
@# Prepare replacement `/var/log`
mkdir -p $(TEST_ROOT_DIR)/var/log
+ @# Prepare replacement `/etc/letsencrypt`
+ mkdir --mode=755 -p $(LETSENCRYPT_ETC_DIR)
+ printf 'test secret\n' > $(LETSENCRYPT_ETC_DIR)/dummy-keys-and-stuff.txt
+ chmod 540 $(LETSENCRYPT_ETC_DIR)/dummy-keys-and-stuff.txt
+ chgrp 1001 $(LETSENCRYPT_ETC_DIR)/dummy-keys-and-stuff.txt
@# Prepare replacement `/etc`
mkdir --mode=750 -p $(HYDRILLA_WEBSITE_ETC_DIR)
printf 'test non-secret\n' > $(HYDRILLA_WEBSITE_ETC_DIR)/secret.txt
diff --git a/container.scm b/container.scm
index 5eead94..7af2a25 100644
--- a/container.scm
+++ b/container.scm
@@ -368,8 +368,15 @@
(define %koszko-httpd-deploy-hook
(program-file
"httpd-deploy-hook"
- #~(let ((pid (call-with-input-file "/var/run/httpd" read)))
- (kill pid SIGHUP))))
+ #~(begin
+ (for-each (lambda (subdir)
+ (system* "chgrp" "-R" "certsaccess"
+ (string-append "/etc/letsencrypt/" subdir)))
+ '("live" "archive"))
+ (system* "find" "/etc/letsencrypt/archive/" "-name" "privkey1.pem"
+ "-exec" "chmod" "640" "{}" ";")
+ (kill (call-with-input-file "/var/run/httpd" read)
+ SIGHUP))))
(define %certbot-token-filename-gexp
#~(format #f "/srv/http/acme-challenge/~a" (getenv "CERTBOT_TOKEN")))
@@ -403,6 +410,7 @@
(service-type-extensions certbot-service-type))))
(certbot-configuration
(email "koszko@koszko.org")
+ (rsa-key-size 4096)
(certificates
(map
(match-lambda
@@ -410,8 +418,9 @@
(let ((www-aliases (map (cut string-append "www." <>)
(if auto-www-aliases name-and-aliases '()))))
(certificate-configuration
- (challenge "http")
+ (name (string-append "guixbot_" (car name-and-aliases)))
(domains (append name-and-aliases www-aliases))
+ (challenge "http")
(authentication-hook %koszko-certbot-auth-hook)
(cleanup-hook %koszko-certbot-cleanup-hook)
(deploy-hook %koszko-httpd-deploy-hook)))))
@@ -421,9 +430,9 @@
(host-name "koszko")
(timezone "Europe/Warsaw")
(groups (cons*
- ;; The `httpd` and `gitolite3` groups must have explicit ids so that
- ;; the host can provide files that are readable by Apache and not
- ;; readable by the world.
+ ;; Some groups must have explicit ids so that the host can provide
+ ;; files that are readable by certain daemons and not readable by the
+ ;; world.
(user-group
(name "httpd")
(id 133)
@@ -432,15 +441,21 @@
(name "gitolite3")
(id 118)
(system? #t))
+ (user-group
+ (name "certsaccess")
+ (id 1001)
+ (system? #t))
%base-groups))
(users (cons*
(user-account
(name "httpd")
(group "httpd")
- (supplementary-groups '("gitolite3"))
+ (supplementary-groups '("gitolite3" "certsaccess"))
(system? #t))
- ;; the gitolite user must also have an id that matches the respective
- ;; host user's one
+ ;; The gitolite user must also have an id that matches the respective
+ ;; host user's one — otherwise the cgit CGI process floods logs with
+ ;; an error about being unable to determine permissions of some
+ ;; files...
(user-account
(name "gitolite3")
(group "gitolite3")
diff --git a/guix-container.sh b/guix-container.sh
index 8a358b8..902ee94 100755
--- a/guix-container.sh
+++ b/guix-container.sh
@@ -99,6 +99,7 @@ start() {
HYDRILLA_HTTP_REAL="$HOST_SYSTEM_ROOT"/var/www/hydrilla.koszko.org/html
HYDRILLAREPOS_HTTP_REAL="$HOST_SYSTEM_ROOT"/var/www/hydrillarepos.koszko.org/html
LOG_REAL="$LOG_DIR"/container
+ ETC_LETSENCRYPT_REAL="$HOST_SYSTEM_ROOT"/etc/letsencrypt
ETC_REAL="$HOST_SYSTEM_ROOT"/etc/guix-container
VAR_HYDRILLA_REAL="$HOST_SYSTEM_ROOT"/var/lib/hydrilla
VAR_GITOLITE_REAL="$HOST_SYSTEM_ROOT"/var/lib/gitolite3
@@ -107,6 +108,7 @@ start() {
HYDRILLA_HTTP_DIR_SHARE_OPT=--share="$HYDRILLA_HTTP_REAL"=/srv/http/hydrilla.koszko.org
HYDRILLAREPOS_HTTP_DIR_SHARE_OPT=--share="$HYDRILLAREPOS_HTTP_REAL"=/srv/http/hydrillarepos.koszko.org
LOG_DIR_SHARE_OPT=--share="$LOG_REAL"=/var/log
+ ETC_LETSENCRYPT_DIR_SHARE_OPT=--share="$ETC_LETSENCRYPT_REAL"=/etc/letsencrypt
ETC_DIR_SHARE_OPT=--share="$ETC_REAL"=/etc
VAR_HYDRILLA_DIR_SHARE_OPT=--share="$VAR_HYDRILLA_REAL"=/var/lib/hydrilla
VAR_GITOLITE_DIR_SHARE_OPT=--share="$VAR_GITOLITE_REAL"=/var/lib/gitolite3
@@ -118,6 +120,7 @@ start() {
"$HYDRILLA_HTTP_DIR_SHARE_OPT" \
"$HYDRILLAREPOS_HTTP_DIR_SHARE_OPT" \
"$LOG_DIR_SHARE_OPT" \
+ "$ETC_LETSENCRYPT_DIR_SHARE_OPT" \
"$ETC_DIR_SHARE_OPT" \
"$VAR_HYDRILLA_DIR_SHARE_OPT" \
"$VAR_GITOLITE_DIR_SHARE_OPT" \