From f12f288d0b8b5a39bd6a9c7b56da3581e4990d23 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Thu, 3 Jun 2021 08:48:36 -0400
Subject: [PATCH] Thread multiple domain names through to the issuer's certbot
config
---
morph/grid/local/config.json | 2 +-
morph/grid/production/config.json | 5 +++-
morph/grid/testing/config.json | 5 +++-
morph/lib/make-issuer.nix | 4 ++--
nixos/modules/issuer.nix | 31 ++++++++++++++-----------
nixos/modules/tests/private-storage.nix | 2 +-
6 files changed, 29 insertions(+), 20 deletions(-)
diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 56184fbc..e970c3c6 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -2,7 +2,7 @@
, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
, "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
, "passValue": 1000000
-, "issuerDomain": "payments.localdev"
+, "issuerDomains": ["payments.localdev"]
, "letsEncryptAdminEmail": "florian@privatestorage.io"
, "allowedChargeOrigins": [
"http://localhost:5000"
diff --git a/morph/grid/production/config.json b/morph/grid/production/config.json
index b91d7d2e..970fde23 100644
--- a/morph/grid/production/config.json
+++ b/morph/grid/production/config.json
@@ -2,7 +2,10 @@
, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
, "stripeSecretKeyPath": "./secrets/stripe.secret"
, "passValue": 1000000
-, "issuerDomain": "payments.privatestorage.io"
+, "issuerDomains": [
+ "payments.private.storage"
+ , "payments.privatestorage.io"
+ ]
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
, "allowedChargeOrigins": [
"https://privatestorage.io"
diff --git a/morph/grid/testing/config.json b/morph/grid/testing/config.json
index ca018157..ec28840a 100644
--- a/morph/grid/testing/config.json
+++ b/morph/grid/testing/config.json
@@ -2,7 +2,10 @@
, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
, "stripeSecretKeyPath": "./secrets/stripe.secret"
, "passValue": 1000000
-, "issuerDomain": "payments.privatestorage-staging.com"
+, "issuerDomains": [
+ "payments.privatestorage-staging.com"
+ , "payments.extra.privatestorage-staging.com"
+ ]
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
, "allowedChargeOrigins": [
"http://localhost:5000"
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index d2fc1cad..5625b565 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -1,7 +1,7 @@
{ hardware
, ristrettoSigningKeyPath
, stripeSecretKeyPath
-, issuerDomain
+, issuerDomains
, letsEncryptAdminEmail
, allowedChargeOrigins
, sshUsers
@@ -47,7 +47,7 @@
database = "SQLite3";
databasePath = "/var/db/vouchers.sqlite3";
inherit letsEncryptAdminEmail;
- domain = issuerDomain;
+ domains = issuerDomains;
inherit allowedChargeOrigins;
};
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 6ad4f1b8..68a6ebf8 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -18,12 +18,11 @@ in {
The package to use for the ZKAP issuer.
'';
};
- services.private-storage-issuer.domain = lib.mkOption {
- default = "payments.privatestorage.io";
- type = lib.types.str;
- example = lib.literalExample "payments.example.com";
+ services.private-storage-issuer.domains = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ example = lib.literalExample [ "payments.example.com" ];
description = ''
- The domain name at which the issuer is reachable.
+ The domain names at which the issuer is reachable.
'';
};
services.private-storage-issuer.tls = lib.mkOption {
@@ -115,6 +114,10 @@ in {
config =
let
certroot = "/var/lib/letsencrypt/live";
+ # We'll refer to this collection of domains by the first domain in the
+ # list.
+ domain = builtins.head cfg.domains;
+ certServiceName = "cert-${domain}";
in lib.mkIf cfg.enable {
# Add a systemd service to run PaymentServer.
systemd.services.zkapissuer = {
@@ -124,7 +127,7 @@ in {
# Make sure we have a certificate the first time, if we are running over
# TLS and require a certificate.
- requires = lib.optional cfg.tls "cert-${cfg.domain}.service";
+ requires = lib.optional cfg.tls "${certServiceName}.service}";
after = [
# Make sure there is a network so we can bind to all of the
@@ -133,7 +136,7 @@ in {
] ++
# Make sure we run after the certificate is issued, if we are running
# over TLS and require a certificate.
- lib.optional cfg.tls "cert-${cfg.domain}.service";
+ lib.optional cfg.tls "${certServiceName}.service";
# It really shouldn't ever exit on its own! If it does, it's a bug
# we'll have to fix. Restart it and hope it doesn't happen too much
@@ -157,9 +160,9 @@ in {
if cfg.tls
then
"--https-port 443 " +
- "--https-certificate-path ${certroot}/${cfg.domain}/cert.pem " +
- "--https-certificate-chain-path ${certroot}/${cfg.domain}/chain.pem " +
- "--https-key-path ${certroot}/${cfg.domain}/privkey.pem"
+ "--https-certificate-path ${certroot}/${domain}/cert.pem " +
+ "--https-certificate-chain-path ${certroot}/${domain}/chain.pem " +
+ "--https-key-path ${certroot}/${domain}/privkey.pem"
else
# Only for automated testing.
"--http-port 80";
@@ -179,20 +182,20 @@ in {
# Certificate renewal. We must declare that we *require* it in our
# service above.
- systemd.services."cert-${cfg.domain}" = {
+ systemd.services."${certServiceName}" = {
enable = true;
- description = "Issue/Renew certificate for ${cfg.domain}";
+ description = "Certificate ${domain}";
serviceConfig = {
ExecStart =
let
configArgs = "--config-dir /var/lib/letsencrypt --work-dir /var/run/letsencrypt --logs-dir /var/run/log/letsencrypt";
in
- pkgs.writeScript "cert-${cfg.domain}-start.sh" ''
+ pkgs.writeScript "cert-${domain}-start.sh" ''
#!${pkgs.runtimeShell} -e
# Register if necessary.
${pkgs.certbot}/bin/certbot register ${configArgs} --non-interactive --agree-tos -m ${cfg.letsEncryptAdminEmail} || true
# Obtain the certificate.
- ${pkgs.certbot}/bin/certbot certonly ${configArgs} --non-interactive --standalone --domains ${cfg.domain}
+ ${pkgs.certbot}/bin/certbot certonly ${configArgs} --non-interactive --standalone --domains ${builtins.concatStringsSep "," cfg.domains}
'';
};
};
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index e085f8bc..cbf4c593 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -134,7 +134,7 @@ in {
services.private-storage-issuer = {
enable = true;
- domain = "issuer";
+ domains = ["issuer"];
tls = false;
issuer = "Ristretto";
inherit ristrettoSigningKeyPath;
--
GitLab