85 lines
2.5 KiB
Nix
85 lines
2.5 KiB
Nix
{ config, pkgs, lib, ...}:
|
|
|
|
with lib; let
|
|
cfg = config.security.acme;
|
|
|
|
script = pkgs.writeShellApplication {
|
|
name = "ocsp-query";
|
|
runtimeInputs = with pkgs; [ openssl ];
|
|
text = ''
|
|
cd "$1"
|
|
|
|
tmp="$(mktemp ocsp.der.XXXXXXXXXX)"
|
|
trap 'rm -f "$tmp"' EXIT TERM
|
|
|
|
url="$(openssl x509 -in cert.pem -noout -ocsp_uri)"
|
|
openssl ocsp -issuer chain.pem -cert cert.pem -url "$url" -respout "$tmp"
|
|
|
|
chown "$(id -u):$(id -g)" "$tmp"
|
|
chmod 644 "$tmp"
|
|
mv "$tmp" ocsp.der
|
|
|
|
ln -s -f ocsp.der full.ocsp
|
|
'';
|
|
};
|
|
in {
|
|
options.security.acme.ocspTimer = mkOption {
|
|
type = with types; nullOr nonEmptyStr;
|
|
default = "daily";
|
|
description = mdDoc "Realtime (wall clock) timer for regular OCSP queries.";
|
|
};
|
|
|
|
config = mkIf (cfg.ocspTimer != null) {
|
|
systemd.services = mapAttrs' (cert: conf: nameValuePair "ocsp-${cert}" {
|
|
description = "Query OCSP endpoint for ${cert}";
|
|
after = [ "network.target" "network-online.target" "acme-${cert}.service" ];
|
|
wants = [ "network.target" "network-online.target" "acme-${cert}.service" ];
|
|
|
|
confinement.enable = true;
|
|
confinement.packages = with pkgs; [ openssl ];
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
|
|
User = "acme";
|
|
Group = conf.group;
|
|
UMask = "0022";
|
|
|
|
BindPaths = [ conf.directory ];
|
|
|
|
ExecStart = "${script}/bin/ocsp-query ${escapeShellArg conf.directory}";
|
|
|
|
ProtectProc = "noaccess";
|
|
ProcSubset = "pid";
|
|
ProtectHome = true;
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
PrivateIPC = true;
|
|
ProtectHostname = true;
|
|
ProtectClock = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
RestrictAddressFamilies = ["AF_INET" "AF_INET6" ];
|
|
RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
RemoveIPC = true;
|
|
CapabilityBoundingSet = null;
|
|
NoNewPrivileges = true;
|
|
SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ];
|
|
SystemCallArchitectures = "native";
|
|
DeviceAllow = null;
|
|
DevicePolicy = "closed";
|
|
SocketBindDeny = "any";
|
|
};
|
|
}) cfg.certs;
|
|
|
|
systemd.timers = mapAttrs' (cert: conf: nameValuePair "ocsp-${cert}" {
|
|
description = "Query OCSP endpoint for ${cert} regularly";
|
|
timerConfig.OnCalendar = cfg.ocspTimer;
|
|
}) cfg.certs;
|
|
};
|
|
}
|