consolidation
This commit is contained in:
John Lancaster
+62
-78
@@ -115,80 +115,6 @@ let
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
mkMtlsRenewScript = {
|
|
||||||
pkgs,
|
|
||||||
certFile,
|
|
||||||
keyFile,
|
|
||||||
bundleFile,
|
|
||||||
user ? null,
|
|
||||||
group ? null,
|
|
||||||
reloadUnits ? [ ],
|
|
||||||
postCommands ? [ ],
|
|
||||||
systemctlArgs ? [ ],
|
|
||||||
}:
|
|
||||||
let
|
|
||||||
systemctlCmd = "systemctl ${lib.escapeShellArgs systemctlArgs}";
|
|
||||||
|
|
||||||
hasReloadUnits = reloadUnits != [ ];
|
|
||||||
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
|
|
||||||
if ${systemctlCmd} --quiet is-active "${unit}"; then
|
|
||||||
${systemctlCmd} try-reload-or-restart "${unit}"
|
|
||||||
fi
|
|
||||||
'') reloadUnits;
|
|
||||||
|
|
||||||
hasPostCommands = postCommands != [ ];
|
|
||||||
renewPostCommands = lib.concatStringsSep "\n" postCommands;
|
|
||||||
|
|
||||||
hasOwnership = user != null && group != null;
|
|
||||||
in
|
|
||||||
pkgs.writeShellApplication {
|
|
||||||
name = "mtls-renew";
|
|
||||||
runtimeInputs = with pkgs; [ coreutils step-cli systemd ];
|
|
||||||
text = ''
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
YELLOW_BANG="\e[33m!\e[0m"
|
|
||||||
|
|
||||||
force=0
|
|
||||||
while [[ $# -gt 0 ]]; do
|
|
||||||
case $1 in
|
|
||||||
--force)
|
|
||||||
force=1
|
|
||||||
shift
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${certFile}"; then
|
|
||||||
echo "Skipping renew"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Renewing mTLS certificate"
|
|
||||||
step ca renew --force "${certFile}" "${keyFile}"
|
|
||||||
(umask 077; cat "${certFile}" "${keyFile}" > "${bundleFile}")
|
|
||||||
|
|
||||||
${lib.optionalString hasOwnership ''
|
|
||||||
chown ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
|
|
||||||
chmod 640 ${certFile} ${keyFile} ${bundleFile}
|
|
||||||
''}
|
|
||||||
|
|
||||||
${lib.optionalString hasReloadUnits ''
|
|
||||||
echo "Reloading units: ${lib.concatStringsSep ", " reloadUnits}"
|
|
||||||
${renewReloadScript}
|
|
||||||
''}
|
|
||||||
|
|
||||||
${lib.optionalString hasPostCommands ''
|
|
||||||
echo "Running post commands"
|
|
||||||
${renewPostCommands}
|
|
||||||
''}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
|
flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
|
||||||
@@ -277,7 +203,6 @@ in
|
|||||||
description = "Renew the mTLS certificate when Smallstep marks it ready";
|
description = "Renew the mTLS certificate when Smallstep marks it ready";
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wants = [ "network-online.target" ];
|
wants = [ "network-online.target" ];
|
||||||
serviceConfig.Type = "oneshot";
|
|
||||||
} // lib.optionalAttrs cfg.renew.enable {
|
} // lib.optionalAttrs cfg.renew.enable {
|
||||||
startAt = cfg.renew.onCalendar;
|
startAt = cfg.renew.onCalendar;
|
||||||
};
|
};
|
||||||
@@ -438,9 +363,68 @@ in
|
|||||||
|
|
||||||
config = {
|
config = {
|
||||||
binName = "mtls-renew";
|
binName = "mtls-renew";
|
||||||
package = mkMtlsRenewScript {
|
package = let
|
||||||
inherit (config) pkgs certFile keyFile bundleFile user group reloadUnits postCommands systemctlArgs;
|
systemctlCmd = "systemctl ${lib.escapeShellArgs config.systemctlArgs}";
|
||||||
};
|
|
||||||
|
hasReloadUnits = config.reloadUnits != [ ];
|
||||||
|
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
|
||||||
|
if ${systemctlCmd} --quiet is-active "${unit}"; then
|
||||||
|
${systemctlCmd} try-reload-or-restart "${unit}"
|
||||||
|
fi
|
||||||
|
'') config.reloadUnits;
|
||||||
|
|
||||||
|
hasPostCommands = config.postCommands != [ ];
|
||||||
|
renewPostCommands = lib.concatStringsSep "\n" config.postCommands;
|
||||||
|
|
||||||
|
hasOwnership = config.user != null && config.group != null;
|
||||||
|
in
|
||||||
|
config.pkgs.writeShellApplication {
|
||||||
|
name = "mtls-renew";
|
||||||
|
runtimeInputs = with config.pkgs; [ coreutils step-cli systemd ];
|
||||||
|
text = ''
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
YELLOW_BANG="\e[33m!\e[0m"
|
||||||
|
|
||||||
|
force=0
|
||||||
|
while [[ $# -gt 0 ]]; do
|
||||||
|
case $1 in
|
||||||
|
--force)
|
||||||
|
force=1
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${config.certFile}"; then
|
||||||
|
echo "Skipping renew"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Renewing mTLS certificate"
|
||||||
|
step ca renew --force "${config.certFile}" "${config.keyFile}"
|
||||||
|
(umask 077; cat "${config.certFile}" "${config.keyFile}" > "${config.bundleFile}")
|
||||||
|
|
||||||
|
${lib.optionalString hasOwnership ''
|
||||||
|
chown ${config.user}:${config.group} ${config.certFile} ${config.keyFile} ${config.bundleFile}
|
||||||
|
chmod 640 ${config.certFile} ${config.keyFile} ${config.bundleFile}
|
||||||
|
''}
|
||||||
|
|
||||||
|
${lib.optionalString hasReloadUnits ''
|
||||||
|
echo "Reloading units: ${lib.concatStringsSep ", " config.reloadUnits}"
|
||||||
|
${renewReloadScript}
|
||||||
|
''}
|
||||||
|
|
||||||
|
${lib.optionalString hasPostCommands ''
|
||||||
|
echo "Running post commands"
|
||||||
|
${renewPostCommands}
|
||||||
|
''}
|
||||||
|
'';
|
||||||
|
};
|
||||||
systemd = {
|
systemd = {
|
||||||
serviceConfig.Type = lib.mkDefault "oneshot";
|
serviceConfig.Type = lib.mkDefault "oneshot";
|
||||||
};
|
};
|
||||||
|
|||||||
Reference in New Issue
Block a user