1
0
Fork 0
selfhostblocks/modules/blocks/ssl/docs/default.md

129 lines
3.8 KiB
Markdown
Raw Normal View History

2024-04-15 00:21:20 +02:00
# SSL Generator Block {#ssl-block}
2024-01-12 08:22:46 +01:00
2024-04-15 00:21:20 +02:00
This NixOS module is a block that implements the [SSL certificate generator](contracts-ssl.html) contract.
2024-01-12 08:22:46 +01:00
It is implemented by:
- [`shb.certs.cas.selfsigned`][10] and [`shb.certs.certs.selfsigned`][11]: Generates self-signed certificates,
including self-signed CA thanks to the [certtool][1] package.
- [`shb.certs.certs.letsencrypt`][12]: Requests certificates from [Let's Encrypt][2].
[1]: https://search.nixos.org/packages?channel=23.11&show=gnutls&from=0&size=50&sort=relevance&type=packages&query=certtool
[2]: https://letsencrypt.org/
[10]: blocks-ssl.html#blocks-ssl-options-shb.certs.cas.selfsigned
[11]: blocks-ssl.html#blocks-ssl-options-shb.certs.certs.selfsigned
[12]: blocks-ssl.html#blocks-ssl-options-shb.certs.certs.letsencrypt
2024-04-15 00:21:20 +02:00
## Self-Signed Certificates {#ssl-block-impl-self-signed}
2024-01-12 08:22:46 +01:00
Defined in [`/modules/blocks/ssl.nix`](@REPO@/modules/blocks/ssl.nix).
To use self-signed certificates, we must first generate at least one Certificate Authority (CA):
```nix
shb.certs.cas.selfsigned.myca = {
name = "My CA";
};
```
Every CA defined this way will be concatenated into the file `/etc/ssl/certs/ca-certificates.cert`
which means those CAs and all certificates generated by those CAs will be automatically trusted.
We can then generate one or more certificates signed by that CA:
```nix
shb.certs.certs.selfsigned = {
"example.com" = {
ca = config.shb.certs.cas.selfsigned.myca;
domain = "example.com";
group = "nginx";
reloadServices = [ "nginx.service" ];
2024-01-12 08:22:46 +01:00
};
"www.example.com" = {
ca = config.shb.certs.cas.selfsigned.myca;
domain = "www.example.com";
group = "nginx";
2024-01-12 08:22:46 +01:00
};
};
```
The group has been chosen to be `nginx` to be consistent with the examples further down in this
document.
2024-04-15 00:21:20 +02:00
## Let's Encrypt {#ssl-block-impl-lets-encrypt}
2024-01-12 08:22:46 +01:00
Defined in [`/modules/blocks/ssl.nix`](@REPO@/modules/blocks/ssl.nix).
We can ask Let's Encrypt to generate a certificate with:
```nix
shb.certs.certs.letsencrypt."example.com" = {
domain = "example.com";
group = "nginx";
2024-01-12 08:22:46 +01:00
dnsProvider = "linode";
adminEmail = "admin@example.com";
credentialsFile = /path/to/secret/file;
additionalEnvironment = {
LINODE_HTTP_TIMEOUT = "10";
LINODE_POLLING_INTERVAL = "10";
LINODE_PROPAGATION_TIMEOUT = "240";
};
};
```
The credential file's content would be a key-value pair:
```yaml
LINODE_TOKEN=XYZ...
```
For other providers, see the [official instruction](https://go-acme.github.io/lego/dns/).
## Usage {#ssl-block-usage}
To use either a self-signed certificates or a Let's Encrypt generated one, we can reference the path
where the certificate and the private key are located:
```nix
2024-01-21 05:11:03 +01:00
config.shb.certs.certs.<implementation>.<name>.paths.cert
config.shb.certs.certs.<implementation>.<name>.paths.key
2024-04-15 00:21:20 +02:00
config.shb.certs.certs.<implementation>.<name>.systemdService
2024-01-12 08:22:46 +01:00
```
For example:
```nix
2024-01-21 05:11:03 +01:00
config.shb.certs.certs.selfsigned."example.com".paths.cert
config.shb.certs.certs.selfsigned."example.com".paths.key
2024-04-15 00:21:20 +02:00
config.shb.certs.certs.selfsigned."example.com".systemdService
2024-01-12 08:22:46 +01:00
```
2024-04-15 00:21:20 +02:00
The full CA bundle is generated by the following Systemd service, running after each individual
generator finished:
2024-01-12 08:22:46 +01:00
```nix
config.shb.certs.systemdService
```
2024-04-15 00:21:20 +02:00
See also the [SSL certificate generator usage](contracts-ssl.html#ssl-contract-usage) for a more detailed usage
example.
2024-01-12 08:22:46 +01:00
## Debug {#ssl-block-debug}
2024-04-15 00:21:20 +02:00
Each CA and Cert is generated by a systemd service whose name can be seen in the `systemdService`
option. You can then see the latest errors messages using `journalctl`.
2024-01-12 08:22:46 +01:00
## Tests {#ssl-block-tests}
2024-04-15 00:21:20 +02:00
The self-signed implementation is tested in [`/tests/vm/ssl.nix`](@REPO@/tests/vm/ssl.nix).
2024-01-12 08:22:46 +01:00
## Options Reference {#ssl-block-options}
```{=include=} options
id-prefix: blocks-ssl-options-
list-id: selfhostblocks-options
source: @OPTIONS_JSON@
```