nixcloud.TLS cert owner option

Question

nixcloud.TLS cert owner option

fgaz opened this issue 6 years ago · 7 comments

Most services do not run as root, but the certs are root-owned with permissions 0700

Answer 1 · 2018-08-30T09:14:52.000Z

this FR (feature request) has crossed my mind several times. for nixcloud.webservices based webservices this is not a problem but for the services coming with nixpkgs, when using nixcloud.TLS, it is. we could add a 'user' to each definition like this:

nixcloud.TLS.certs = {
  "example.com-ACME" = {
    domain = "example.com";
    mode = "ACME";
    email = "foo@example.com";
    reload = [ "postifx.service" "myservice.service" ];
    # make certificate readable by murmur, see nixos/modules/misc/ids.nix
    users = [ "murmur" "radicale" ]; 
  };

and then chown/chmod the directory/certificate. would that help you? please tell me for which service you do have that problem so we can test this feature properly.

Answer 2 · 2018-08-30T09:57:23.000Z

Yes, that would help!
I'm running a mumble server (murmur) with this configuration:

{ config, lib, pkgs, ... }:

let
  domain = "my.domain.here";
in {
  nixcloud.TLS.certs.${domain} = {
    mode = "ACME";
    restart = [ "murmur.service" ]; # maybe restart is too much and reload is sufficient
  };

  services.murmur = {
    enable = true;
    password = "oh god why is this in a plaintext config file";
    sslCert = config.nixcloud.TLS.certs.${domain}.tls_certificate;
    sslKey  = config.nixcloud.TLS.certs.${domain}.tls_certificate_key;
  };
  systemd.services.murmur.after = [ "nixcloud.TLS-certificates.target" ];
  systemd.services.murmur.wants = [ "nixcloud.TLS-certificates.target" ];
}

Murmur silently (!) falls back to a self-signed cert if it can't read the provided one.

Radicale should also have this problem, but I have yet to set it up.

Answer 3 · 2018-08-30T16:07:59.000Z

@fgaz nearly have this feature ready. needs some more testing but the code looks already promising:
https://github.com/nixcloud/nixcloud-webservices/tree/cert-user-groups

Answer 4 · 2018-08-30T16:12:42.000Z

my config looks like this:

  nixcloud.TLS.certs."nix.lt" = {
    mode = "ACME";
    restart = [ "murmur.service" ]; # maybe restart is too much and reload is sufficient
    users = [ "murmur" ];
  };

  services.murmur = {
    enable = true;
    password = "oh god why is this in a plaintext config file";
    sslCert = config.nixcloud.TLS.certs."nix.lt".tls_certificate;
    sslKey  = config.nixcloud.TLS.certs."nix.lt".tls_certificate_key;
  };
  systemd.services.murmur.after = [ "nixcloud.TLS-certificates.target" ];
  systemd.services.murmur.wants = [ "nixcloud.TLS-certificates.target" ];

and the users = [ "murmur" ]; finally makes it work and murmur was using the right certificate.

Answer 5 · 2018-08-31T09:12:12.000Z

@fgaz some updates:

fixed a permission bug
refactored 'cert' into 'identifier'
tested all 3 modes manually using 'murmur'

only one bug is left: when a user was listed in users.groups.members, and then after another nixos-rebuild switch it is removed. then the user still remains in /etc/group in the respective group where it should actually not be listed anymore. i don't understand why and this is probably a bug in NixOS.

will push these changes in nixcloud-webservices soon.

Answer 6 · 2018-08-31T09:29:06.000Z

this feature is live with 7335d8e

@fgaz please report back in this context if you still find issues and reopen!

Answer 7 · 2018-09-05T16:17:14.000Z

It works! Thanks for the fix!

I just had to force a cert renew since the permissions were still rwx------, but this shouldn't be a problem for new users.