From 53a17d2a44b3868db2149787dc7f500cbd0ff390 Mon Sep 17 00:00:00 2001 From: "Hedtke, Moritz" Date: Thu, 18 Feb 2021 12:58:41 +0100 Subject: [PATCH 1/6] step-ca: 0.15.6 -> 0.15.11 --- pkgs/tools/security/step-ca/default.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/tools/security/step-ca/default.nix b/pkgs/tools/security/step-ca/default.nix index f3c9990a3c74..7c5adc649be7 100644 --- a/pkgs/tools/security/step-ca/default.nix +++ b/pkgs/tools/security/step-ca/default.nix @@ -9,22 +9,22 @@ buildGoModule rec { pname = "step-ca"; - version = "0.15.6"; + version = "0.15.11"; src = fetchFromGitHub { owner = "smallstep"; repo = "certificates"; rev = "v${version}"; - sha256 = "0n26692ph4q4cmrqammfazmx1k9p2bydwqc57q4hz5ni6jd31zbz"; + sha256 = "wFRs3n6V0z2keNVtqFw1q5jpA6BvNK5EftsNhichfsY="; }; - vendorSha256 = "0w0phyqymcg2h2jjasxmkf4ryn4y1bqahcy94rs738cqr5ifyfbg"; + vendorSha256 = "f1NdszqYYx6X1HqwqG26jjfjXq1gDXLOrh64ccKRQ90="; nativeBuildInputs = [ pkg-config ]; buildInputs = - lib.optional stdenv.isLinux (lib.getDev pcsclite) - ++ lib.optional stdenv.isDarwin PCSC; + lib.optionals (stdenv.isLinux) [ pcsclite ] + ++ lib.optionals (stdenv.isDarwin) [ PCSC ]; # Tests fail on darwin with # panic: httptest: failed to listen on a port: listen tcp6 [::1]:0: bind: operation not permitted [recovered] From 106b8616f7c808f1706545dc8f05488986bbbca6 Mon Sep 17 00:00:00 2001 From: "Hedtke, Moritz" Date: Thu, 18 Feb 2021 13:00:22 +0100 Subject: [PATCH 2/6] step-ca: Add systemd service file at correct location to get it picked up automatically --- pkgs/tools/security/step-ca/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/tools/security/step-ca/default.nix b/pkgs/tools/security/step-ca/default.nix index 7c5adc649be7..584a597d67de 100644 --- a/pkgs/tools/security/step-ca/default.nix +++ b/pkgs/tools/security/step-ca/default.nix @@ -2,6 +2,7 @@ , lib , fetchFromGitHub , buildGoModule +, coreutils , pcsclite , PCSC , pkg-config @@ -26,6 +27,14 @@ buildGoModule rec { lib.optionals (stdenv.isLinux) [ pcsclite ] ++ lib.optionals (stdenv.isDarwin) [ PCSC ]; + postPatch = '' + substituteInPlace systemd/step-ca.service --replace "/bin/kill" "${coreutils}/bin/kill" + ''; + + postInstall = '' + install -Dm444 -t $out/lib/systemd/system systemd/step-ca.service + ''; + # Tests fail on darwin with # panic: httptest: failed to listen on a port: listen tcp6 [::1]:0: bind: operation not permitted [recovered] # probably some sandboxing issue From 2d821cb5c0adb3247d3d3c841f8a6c5431802b75 Mon Sep 17 00:00:00 2001 From: "Hedtke, Moritz" Date: Thu, 18 Feb 2021 13:01:26 +0100 Subject: [PATCH 3/6] step-ca: Add option to disable HSM support --- pkgs/tools/security/step-ca/default.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/security/step-ca/default.nix b/pkgs/tools/security/step-ca/default.nix index 584a597d67de..82afc06e1c51 100644 --- a/pkgs/tools/security/step-ca/default.nix +++ b/pkgs/tools/security/step-ca/default.nix @@ -6,6 +6,7 @@ , pcsclite , PCSC , pkg-config +, hsmSupport ? true }: buildGoModule rec { @@ -21,16 +22,20 @@ buildGoModule rec { vendorSha256 = "f1NdszqYYx6X1HqwqG26jjfjXq1gDXLOrh64ccKRQ90="; - nativeBuildInputs = [ pkg-config ]; + nativeBuildInputs = lib.optionals hsmSupport [ pkg-config ]; buildInputs = - lib.optionals (stdenv.isLinux) [ pcsclite ] - ++ lib.optionals (stdenv.isDarwin) [ PCSC ]; + lib.optionals (hsmSupport && stdenv.isLinux) [ pcsclite ] + ++ lib.optionals (hsmSupport && stdenv.isDarwin) [ PCSC ]; postPatch = '' substituteInPlace systemd/step-ca.service --replace "/bin/kill" "${coreutils}/bin/kill" ''; + preBuild = '' + ${lib.optionalString (!hsmSupport) "export CGO_ENABLED=0"} + ''; + postInstall = '' install -Dm444 -t $out/lib/systemd/system systemd/step-ca.service ''; From d848dd07e6e536eb5f0c8efe04ceecf9919e42a2 Mon Sep 17 00:00:00 2001 From: "Hedtke, Moritz" Date: Sat, 6 Feb 2021 21:04:21 +0100 Subject: [PATCH 4/6] nixos/step-ca: Add declarative step-ca service Co-authored-by: midchildan --- nixos/modules/module-list.nix | 1 + nixos/modules/services/security/step-ca.nix | 132 ++++++++++++++++++++ 2 files changed, 133 insertions(+) create mode 100644 nixos/modules/services/security/step-ca.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 07774dd1d293..ac24c61e0aac 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -854,6 +854,7 @@ ./services/security/shibboleth-sp.nix ./services/security/sks.nix ./services/security/sshguard.nix + ./services/security/step-ca.nix ./services/security/tor.nix ./services/security/torify.nix ./services/security/torsocks.nix diff --git a/nixos/modules/services/security/step-ca.nix b/nixos/modules/services/security/step-ca.nix new file mode 100644 index 000000000000..b749ec6e56d0 --- /dev/null +++ b/nixos/modules/services/security/step-ca.nix @@ -0,0 +1,132 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.step-ca; + settingsFormat = (pkgs.formats.json { }); +in +{ + options = { + services.step-ca = { + enable = lib.mkEnableOption "the smallstep certificate authority server"; + openFirewall = lib.mkEnableOption "opening the certificate authority server port"; + package = lib.mkOption { + type = lib.types.package; + default = pkgs.step-ca; + description = "Which step-ca package to use."; + }; + address = lib.mkOption { + type = lib.types.str; + example = "127.0.0.1"; + description = '' + The address (without port) the certificate authority should listen at. + This combined with overrides . + ''; + }; + port = lib.mkOption { + type = lib.types.port; + example = 8443; + description = '' + The port the certificate authority should listen on. + This combined with overrides . + ''; + }; + settings = lib.mkOption { + type = with lib.types; attrsOf anything; + description = '' + Settings that go into ca.json. See + + the step-ca manual for more information. The easiest way to + configure this module would be to run step ca init + to generate ca.json and then import it using + builtins.fromJSON. + This article + may also be useful if you want to customize certain aspects of + certificate generation for your CA. + You need to change the database storage path to /var/lib/step-ca/db. + + + + The option + will be ignored and overwritten by + and + . + + + ''; + }; + intermediatePasswordFile = lib.mkOption { + type = lib.types.path; + example = "/run/keys/smallstep-password"; + description = '' + Path to the file containing the password for the intermediate + certificate private key. + + + + Make sure to use a quoted absolute path instead of a path literal + to prevent it from being copied to the globally readable Nix + store. + + + ''; + }; + }; + }; + + config = lib.mkIf config.services.step-ca.enable ( + let + configFile = settingsFormat.generate "ca.json" (cfg.settings // { + address = cfg.address + ":" + toString cfg.port; + }); + in + { + assertions = + [ + { + assertion = !lib.isStorePath cfg.intermediatePasswordFile; + message = '' + points to + a file in the Nix store. You should use a quoted absolute path to + prevent this. + ''; + } + ]; + + systemd.packages = [ cfg.package ]; + + # configuration file indirection is needed to support reloading + environment.etc."smallstep/ca.json".source = configFile; + + systemd.services."step-ca" = { + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ]; + unitConfig = { + ConditionFileNotEmpty = ""; # override upstream + }; + serviceConfig = { + Environment = "HOME=%S/step-ca"; + WorkingDirectory = ""; # override upstream + ReadWriteDirectories = ""; # override upstream + + # LocalCredential handles file permission problems arising from the use of DynamicUser. + LoadCredential = "intermediate_password:${cfg.intermediatePasswordFile}"; + + ExecStart = [ + "" # override upstream + "${cfg.package}/bin/step-ca /etc/smallstep/ca.json --password-file \${CREDENTIALS_DIRECTORY}/intermediate_password" + ]; + + # ProtectProc = "invisible"; # not supported by upstream yet + # ProcSubset = "pid"; # not supported by upstream upstream yet + # PrivateUsers = true; # doesn't work with privileged ports therefore not supported by upstream + + DynamicUser = true; + StateDirectory = "step-ca"; + }; + }; + + networking.firewall = lib.mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + } + ); +} From a3141361cbfc53ca2c45f37a59cf1de83a19d9ef Mon Sep 17 00:00:00 2001 From: mohe2015 Date: Sun, 1 Nov 2020 17:01:21 +0100 Subject: [PATCH 5/6] maintainers: add mohe2015 --- maintainers/maintainer-list.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index a59d4b24995e..b9d203b2d1e0 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -6477,6 +6477,16 @@ githubId = 754512; name = "Mogria"; }; + mohe2015 = { + name = "Moritz Hedtke"; + email = "Moritz.Hedtke@t-online.de"; + github = "mohe2015"; + githubId = 13287984; + keys = [{ + longkeyid = "rsa4096/0x6794D45A488C2EDE"; + fingerprint = "1248 D3E1 1D11 4A85 75C9 8934 6794 D45A 488C 2EDE"; + }]; + }; monsieurp = { email = "monsieurp@gentoo.org"; github = "monsieurp"; From 01b1ddfa701914e7eb8a2cba1fcc084cc7aa1404 Mon Sep 17 00:00:00 2001 From: "Hedtke, Moritz" Date: Sat, 20 Mar 2021 23:14:26 +0100 Subject: [PATCH 6/6] Add mohe2015 as maintainer to step-ca and nixos/step-ca --- nixos/modules/services/security/step-ca.nix | 2 ++ pkgs/tools/security/step-ca/default.nix | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/security/step-ca.nix b/nixos/modules/services/security/step-ca.nix index b749ec6e56d0..64eee11f5880 100644 --- a/nixos/modules/services/security/step-ca.nix +++ b/nixos/modules/services/security/step-ca.nix @@ -4,6 +4,8 @@ let settingsFormat = (pkgs.formats.json { }); in { + meta.maintainers = with lib.maintainers; [ mohe2015 ]; + options = { services.step-ca = { enable = lib.mkEnableOption "the smallstep certificate authority server"; diff --git a/pkgs/tools/security/step-ca/default.nix b/pkgs/tools/security/step-ca/default.nix index 82afc06e1c51..84fe06e6c19c 100644 --- a/pkgs/tools/security/step-ca/default.nix +++ b/pkgs/tools/security/step-ca/default.nix @@ -49,7 +49,7 @@ buildGoModule rec { description = "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH"; homepage = "https://smallstep.com/certificates/"; license = licenses.asl20; - maintainers = with maintainers; [ cmcdragonkai ]; + maintainers = with maintainers; [ cmcdragonkai mohe2015 ]; platforms = platforms.linux ++ platforms.darwin; }; }