diff options
author | Wojtek Kosior <koszko@koszko.org> | 2023-05-03 21:12:43 +0200 |
---|---|---|
committer | Wojtek Kosior <koszko@koszko.org> | 2023-05-03 21:52:45 +0200 |
commit | 75af5d1e53c8564767589bd0978fe5255f44394b (patch) | |
tree | f9be2216d9a4e5dc4db2fca0e943b8ea395bc339 | |
parent | 73cc7aac7d7bd5ee01cad2b9ed34af31345bde3d (diff) | |
download | koszko-org-server-75af5d1e53c8564767589bd0978fe5255f44394b.tar.gz koszko-org-server-75af5d1e53c8564767589bd0978fe5255f44394b.zip |
make TLS certs usable by both guix' and host's daemons
-rw-r--r-- | Makefile | 6 | ||||
-rw-r--r-- | container.scm | 33 | ||||
-rwxr-xr-x | guix-container.sh | 3 |
3 files changed, 33 insertions, 9 deletions
@@ -67,6 +67,7 @@ sample-malcontent: "$$(realpath $@)" | \ make -C subrepos/hydrilla shell-with-haketilo +LETSENCRYPT_ETC_DIR = $(TEST_ROOT_DIR)/etc/letsencrypt HYDRILLA_WEBSITE_ETC_DIR = $(TEST_ROOT_DIR)/etc/guix-container/hydrilla-website MALCONTENT_DIR = $(TEST_ROOT_DIR)/var/lib/hydrilla/malcontent_dirs GITOLITE_DIR = $(TEST_ROOT_DIR)/var/lib/gitolite3 @@ -86,6 +87,11 @@ prepare-test-root: sample-malcontent done @# Prepare replacement `/var/log` mkdir -p $(TEST_ROOT_DIR)/var/log + @# Prepare replacement `/etc/letsencrypt` + mkdir --mode=755 -p $(LETSENCRYPT_ETC_DIR) + printf 'test secret\n' > $(LETSENCRYPT_ETC_DIR)/dummy-keys-and-stuff.txt + chmod 540 $(LETSENCRYPT_ETC_DIR)/dummy-keys-and-stuff.txt + chgrp 1001 $(LETSENCRYPT_ETC_DIR)/dummy-keys-and-stuff.txt @# Prepare replacement `/etc` mkdir --mode=750 -p $(HYDRILLA_WEBSITE_ETC_DIR) printf 'test non-secret\n' > $(HYDRILLA_WEBSITE_ETC_DIR)/secret.txt diff --git a/container.scm b/container.scm index 5eead94..7af2a25 100644 --- a/container.scm +++ b/container.scm @@ -368,8 +368,15 @@ (define %koszko-httpd-deploy-hook (program-file "httpd-deploy-hook" - #~(let ((pid (call-with-input-file "/var/run/httpd" read))) - (kill pid SIGHUP)))) + #~(begin + (for-each (lambda (subdir) + (system* "chgrp" "-R" "certsaccess" + (string-append "/etc/letsencrypt/" subdir))) + '("live" "archive")) + (system* "find" "/etc/letsencrypt/archive/" "-name" "privkey1.pem" + "-exec" "chmod" "640" "{}" ";") + (kill (call-with-input-file "/var/run/httpd" read) + SIGHUP)))) (define %certbot-token-filename-gexp #~(format #f "/srv/http/acme-challenge/~a" (getenv "CERTBOT_TOKEN"))) @@ -403,6 +410,7 @@ (service-type-extensions certbot-service-type)))) (certbot-configuration (email "koszko@koszko.org") + (rsa-key-size 4096) (certificates (map (match-lambda @@ -410,8 +418,9 @@ (let ((www-aliases (map (cut string-append "www." <>) (if auto-www-aliases name-and-aliases '())))) (certificate-configuration - (challenge "http") + (name (string-append "guixbot_" (car name-and-aliases))) (domains (append name-and-aliases www-aliases)) + (challenge "http") (authentication-hook %koszko-certbot-auth-hook) (cleanup-hook %koszko-certbot-cleanup-hook) (deploy-hook %koszko-httpd-deploy-hook))))) @@ -421,9 +430,9 @@ (host-name "koszko") (timezone "Europe/Warsaw") (groups (cons* - ;; The `httpd` and `gitolite3` groups must have explicit ids so that - ;; the host can provide files that are readable by Apache and not - ;; readable by the world. + ;; Some groups must have explicit ids so that the host can provide + ;; files that are readable by certain daemons and not readable by the + ;; world. (user-group (name "httpd") (id 133) @@ -432,15 +441,21 @@ (name "gitolite3") (id 118) (system? #t)) + (user-group + (name "certsaccess") + (id 1001) + (system? #t)) %base-groups)) (users (cons* (user-account (name "httpd") (group "httpd") - (supplementary-groups '("gitolite3")) + (supplementary-groups '("gitolite3" "certsaccess")) (system? #t)) - ;; the gitolite user must also have an id that matches the respective - ;; host user's one + ;; The gitolite user must also have an id that matches the respective + ;; host user's one — otherwise the cgit CGI process floods logs with + ;; an error about being unable to determine permissions of some + ;; files... (user-account (name "gitolite3") (group "gitolite3") diff --git a/guix-container.sh b/guix-container.sh index 8a358b8..902ee94 100755 --- a/guix-container.sh +++ b/guix-container.sh @@ -99,6 +99,7 @@ start() { HYDRILLA_HTTP_REAL="$HOST_SYSTEM_ROOT"/var/www/hydrilla.koszko.org/html HYDRILLAREPOS_HTTP_REAL="$HOST_SYSTEM_ROOT"/var/www/hydrillarepos.koszko.org/html LOG_REAL="$LOG_DIR"/container + ETC_LETSENCRYPT_REAL="$HOST_SYSTEM_ROOT"/etc/letsencrypt ETC_REAL="$HOST_SYSTEM_ROOT"/etc/guix-container VAR_HYDRILLA_REAL="$HOST_SYSTEM_ROOT"/var/lib/hydrilla VAR_GITOLITE_REAL="$HOST_SYSTEM_ROOT"/var/lib/gitolite3 @@ -107,6 +108,7 @@ start() { HYDRILLA_HTTP_DIR_SHARE_OPT=--share="$HYDRILLA_HTTP_REAL"=/srv/http/hydrilla.koszko.org HYDRILLAREPOS_HTTP_DIR_SHARE_OPT=--share="$HYDRILLAREPOS_HTTP_REAL"=/srv/http/hydrillarepos.koszko.org LOG_DIR_SHARE_OPT=--share="$LOG_REAL"=/var/log + ETC_LETSENCRYPT_DIR_SHARE_OPT=--share="$ETC_LETSENCRYPT_REAL"=/etc/letsencrypt ETC_DIR_SHARE_OPT=--share="$ETC_REAL"=/etc VAR_HYDRILLA_DIR_SHARE_OPT=--share="$VAR_HYDRILLA_REAL"=/var/lib/hydrilla VAR_GITOLITE_DIR_SHARE_OPT=--share="$VAR_GITOLITE_REAL"=/var/lib/gitolite3 @@ -118,6 +120,7 @@ start() { "$HYDRILLA_HTTP_DIR_SHARE_OPT" \ "$HYDRILLAREPOS_HTTP_DIR_SHARE_OPT" \ "$LOG_DIR_SHARE_OPT" \ + "$ETC_LETSENCRYPT_DIR_SHARE_OPT" \ "$ETC_DIR_SHARE_OPT" \ "$VAR_HYDRILLA_DIR_SHARE_OPT" \ "$VAR_GITOLITE_DIR_SHARE_OPT" \ |