ref: get constant handles on more letsencryptCertMaterial

- probable typoed dead asset removed: xxxxx-full.pem.key (non-sensical) - shortcut cp cert.pem /etc/ssl/certs/agix-converter.iohk.io-cert.pem - instead of: re-acquire rather anti-atomically over the vault-agent REFACTORING: proven to have no effect via diff-against-bitte-commit ENV-DIFF: according to the above two items, also replacing implicit globs through explicit identifiers.
input-output-hk · Jan 9, 2022 · 876d77f · 876d77f
1 parent 93bb73a
commit 876d77f
Show file tree

Hide file tree

Showing 8 changed files with 76 additions and 63 deletions.
diff --git a/lib/mk-system.nix b/lib/mk-system.nix
@@ -7,55 +7,22 @@
 # This is no contradiction.
 , self ? null, inputs ? null, modules ? [ ], nodeName ? null }:
 let
-  pkiFiles = {
-    caCertFile = "/etc/ssl/certs/ca.pem";
-    certChainFile = "/etc/ssl/certs/full.pem";
-    certFile = "/etc/ssl/certs/cert.pem";
-    keyFile = "/etc/ssl/certs/cert-key.pem";
-  };
-
-  hashiTokens = {
-    vaultd-consul-json = "/etc/vault.d/consul-token.json";
-    nomadd-consul-json = "/etc/nomad.d/consul-token.json";
-    consuld-json = "/etc/consul.d/tokens.json";
-
-    vault = "/run/keys/vault-token";
-    consul-default = "/run/keys/consul-default-token";
-    consul-nomad = "/run/keys/consul-nomad-token";
-    consul-vault-srv = "vault-consul-token";
-    nomad-snapshot = "/run/keys/nomad-snapshot-token";
-    nomad-autoscaler = "/run/keys/nomad-autoscaler-token";
-  };
-
-  showWarningsAndAssertions = { lib, config, ... }:
-    let
-      failedAssertions =
-        map (x: x.message) (lib.filter (x: !x.assertion) config.assertions);
-      validateConfig = if failedAssertions != [ ] then
-        throw ''
-
-          Failed assertions:
-          ${builtins.concatStringsSep "\n"
-          (map (x: "- ${x}") failedAssertions)}''
-      else
-        lib.showWarnings config.warnings;
-    in {
-      options.showWarningsAndAssertions = lib.mkOption {
-        type = with lib.types; bool;
-        default = validateConfig true;
-      };
-    };
 
   bitteSystem = specializationModule:
     let
       res = nixpkgs.lib.nixosSystem {
         inherit pkgs;
         inherit (pkgs) system;
         modules =
-          [ showWarningsAndAssertions bitte.nixosModule specializationModule ]
+          [
+            ./mk-system/constants-module.nix
+            ./mk-system/show-warnings-and-assertions-module.nix
+            bitte.nixosModule
+            specializationModule
+          ]
           ++ modules;
         specialArgs = {
-          inherit nodeName self inputs pkiFiles hashiTokens;
+          inherit nodeName self inputs;
           inherit (bitte.inputs) terranix;
           bittelib = bitte.lib;
           inherit (bitte.lib) terralib;

diff --git a/lib/mk-system/constants-module.nix b/lib/mk-system/constants-module.nix
@@ -0,0 +1,29 @@
+{ config, ... }: {
+  _module.args = {
+    pkiFiles = {
+      caCertFile = "/etc/ssl/certs/ca.pem";
+      certChainFile = "/etc/ssl/certs/full.pem";
+      certFile = "/etc/ssl/certs/cert.pem";
+      keyFile = "/etc/ssl/certs/cert-key.pem";
+    };
+
+    letsencryptCertMaterial = {
+      certFile = "/etc/ssl/certs/${config.cluster.domain}-cert.pem";
+      certChainFile = "/etc/ssl/certs/${config.cluster.domain}-full.pem";
+      keyFile = "/etc/ssl/certs/${config.cluster.domain}-key.pem";
+    };
+
+    hashiTokens = {
+      vaultd-consul-json = "/etc/vault.d/consul-token.json";
+      nomadd-consul-json = "/etc/nomad.d/consul-token.json";
+      consuld-json = "/etc/consul.d/tokens.json";
+
+      vault = "/run/keys/vault-token";
+      consul-default = "/run/keys/consul-default-token";
+      consul-nomad = "/run/keys/consul-nomad-token";
+      consul-vault-srv = "vault-consul-token";
+      nomad-snapshot = "/run/keys/nomad-snapshot-token";
+      nomad-autoscaler = "/run/keys/nomad-autoscaler-token";
+    };
+  };
+}
diff --git a/lib/mk-system/show-warnings-and-assertions-module.nix b/lib/mk-system/show-warnings-and-assertions-module.nix
@@ -0,0 +1,17 @@
+{ lib, config, ... }: let
+  failedAssertions =
+    map (x: x.message) (lib.filter (x: !x.assertion) config.assertions);
+  validateConfig = if failedAssertions != [ ] then
+    throw ''
+
+      Failed assertions:
+      ${builtins.concatStringsSep "\n"
+      (map (x: "- ${x}") failedAssertions)}''
+  else
+    lib.showWarnings config.warnings;
+in {
+  options.showWarningsAndAssertions = lib.mkOption {
+    type = with lib.types; bool;
+    default = validateConfig true;
+  };
+}
diff --git a/modules/ingress-config.nix b/modules/ingress-config.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, lib, pkiFiles, hashiTokens, ... }: {
+{ pkgs, config, lib, pkiFiles, hashiTokens, letsencryptCertMaterial, ... }: {
   options = {
     services.ingress-config = {
       enable = lib.mkEnableOption "Enable Ingress configuration generation";
@@ -135,7 +135,7 @@
         http-request redirect scheme https if http
 
       frontend https
-        bind *:443 ssl crt /etc/ssl/certs/${config.cluster.domain}-full.pem alpn h2,http/1.1
+        bind *:443 ssl crt ${letsencryptCertMaterial.certChainFile} alpn h2,http/1.1
 
         acl oauth_proxy path_beg /oauth2/
         acl authenticated var(txn.auth_response_successful) -m bool

diff --git a/modules/ingress.nix b/modules/ingress.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, pkiFiles, ... }:
+{ config, pkgs, lib, pkiFiles, letsencryptCertMaterial, ... }:
 
 {
   options = {
@@ -24,7 +24,9 @@
           cp ${pkiFiles.caCertFile} consul-ca.pem
           cat ${pkiFiles.certChainFile} ${pkiFiles.keyFile} > consul-crt.pem
 
-          cat /etc/ssl/certs/${config.cluster.domain}-{cert,key}.pem \
+          cat \
+            ${letsencryptCertMaterial.certFile} \
+            ${letsencryptCertMaterial.keyFile} \
             ${../lib/letsencrypt.pem} \
           > acme-full.pem
 

diff --git a/modules/vulnix.nix b/modules/vulnix.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, nodeName, hashiTokens, ... }:
+{ config, pkgs, lib, nodeName, hashiTokens, letsencryptCertMaterial, ... }:
 
 let
   cfg = config.services.vulnix;
@@ -130,7 +130,7 @@ in {
       environment = lib.mkIf cfg.scanNomadJobs.enable {
         VAULT_ADDR = "https://vault.${config.cluster.domain}";
         NOMAD_ADDR = "https://nomad.${config.cluster.domain}";
-        VAULT_CACERT = "/etc/ssl/certs/$-full.pem";
+        VAULT_CACERT = letsencryptCertMaterial.certChainFile;
       };
 
       path = with pkgs; [ cfg.package vault-bin curl jq nixFlakes gitMinimal ];

diff --git a/profiles/routing.nix b/profiles/routing.nix
@@ -1,4 +1,4 @@
-{ self, lib, pkgs, config, nodeName, bittelib, hashiTokens, ... }: {
+{ self, lib, pkgs, config, nodeName, bittelib, hashiTokens, letsencryptCertMaterial, ... }: {
 
   imports = [
     ./common.nix
@@ -35,7 +35,9 @@
         set -exuo pipefail
 
         mkdir -p /var/lib/traefik/certs
-        cp /etc/ssl/certs/${config.cluster.domain}-*.pem /var/lib/traefik/certs
+        cp ${letsencryptCertMaterial.certChainFile} /var/lib/traefik/certs/${builtins.baseNameOf letsencryptCertMaterial.certChainFile}
+        cp ${letsencryptCertMaterial.keyFile} /var/lib/traefik/certs/${builtins.baseNameOf letsencryptCertMaterial.keyFile}
+
         chown -R traefik:traefik /var/lib/traefik
       '';
     };
@@ -56,8 +58,9 @@
         extraDomainNames = [ "*.${config.cluster.domain}" ]
           ++ config.cluster.extraAcmeSANs;
         postRun = ''
-          cp fullchain.pem /etc/ssl/certs/${config.cluster.domain}-full.pem
-          cp key.pem /etc/ssl/certs/${config.cluster.domain}-key.pem
+          cp fullchain.pem ${letsencryptCertMaterial.certChainFile}
+          cp key.pem ${letsencryptCertMaterial.keyFile}
+          cp cert.pem ${letsencryptCertMaterial.certFile}
           systemctl try-restart --no-block traefik.service
 
           export VAULT_TOKEN="$(< ${hashiTokens.vault})"
@@ -72,8 +75,8 @@
     services.traefik = {
       dynamicConfigOptions = {
         tls.certificates = [{
-          certFile = "/var/lib/traefik/certs/${config.cluster.domain}-full.pem";
-          keyFile = "/var/lib/traefik/certs/${config.cluster.domain}-key.pem";
+          certFile = "/var/lib/traefik/certs/${builtins.baseNameOf letsencryptCertMaterial.certChainFile}";
+          keyFile = "/var/lib/traefik/certs/${builtins.baseNameOf letsencryptCertMaterial.keyFile}";
         }];
 
         http = {

diff --git a/profiles/vault/secrets-provisioning/letsencrypt-ingress.nix b/profiles/vault/secrets-provisioning/letsencrypt-ingress.nix
@@ -1,32 +1,27 @@
-{ config, lib, pkgs, pkiFiles, ... }: let
+{ config, lib, pkgs, letsencryptCertMaterial, ... }: let
+
+  # assumes: routing has uploaded letsencrypt cert material
 
   reload = service: "${pkgs.systemd}/bin/systemctl --no-block try-reload-or-restart ${service}";
   restart = service: "${pkgs.systemd}/bin/systemctl --no-block try-restart ${service}";
 
 in {
   services.vault-agent.templates = {
-    "/etc/ssl/certs/${config.cluster.domain}-cert.pem" = {
+    ${letsencryptCertMaterial.certFile} = {
       command = restart "ingress.service";
       contents = ''
         {{ with secret "kv/bootstrap/letsencrypt/cert" }}{{ .Data.data.value }}{{ end }}
       '';
     };
 
-    "/etc/ssl/certs/${config.cluster.domain}-full.pem" = {
+    ${letsencryptCertMaterial.certChainFile} = {
       command = restart "ingress.service";
       contents = ''
         {{ with secret "kv/bootstrap/letsencrypt/fullchain" }}{{ .Data.data.value }}{{ end }}
       '';
     };
 
-    "/etc/ssl/certs/${config.cluster.domain}-key.pem" = {
-      command = restart "ingress.service";
-      contents = ''
-        {{ with secret "kv/bootstrap/letsencrypt/key" }}{{ .Data.data.value }}{{ end }}
-      '';
-    };
-
-    "/etc/ssl/certs/${config.cluster.domain}-full.pem.key" = {
+    ${letsencryptCertMaterial.keyFile} = {
       command = restart "ingress.service";
       contents = ''
         {{ with secret "kv/bootstrap/letsencrypt/key" }}{{ .Data.data.value }}{{ end }}