Move to dedicated Let's Encrypt certificate volume

We would previously use the `letsencrypt` volume used as state by Lego itself, which contains a number of private files not intended to be accessed widely; the `letsencrypt-certificates` volume used now contains only certificate chains and private keys, under dedicated folders.
2024-01-04 21:02:11 +00:00 · 2024-01-04 21:02:11 +00:00 · 83bea27cd4
parent bc579762cc
commit 83bea27cd4
11 changed files with 20 additions and 20 deletions
--- a/host/virtual/spec.bu
+++ b/host/virtual/spec.bu
@ -154,10 +154,10 @@ systemd:
        - name: use-local-files.conf
          contents: |
            [Service]
-            ExecStartPre=/bin/podman volume create --ignore letsencrypt
+            ExecStartPre=/bin/podman volume create --ignore letsencrypt-certificates
            ExecStart=
-            ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt) && cp -Rv /etc/ssl/private/certificates $V && chown -R 10000:10000 $V"
-            ExecStartPost=/bin/podman volume unmount letsencrypt
+            ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt-certificates) && cp -Rv /etc/ssl/private/certificates $V && chown -R 10000:10000 $V"
+            ExecStartPost=/bin/podman volume unmount letsencrypt-certificates

 storage:
  files:
@ -197,7 +197,7 @@ storage:

    # Include pre-generated certificates for localhost domain, as we're not using Let's Encrypt in
    # generating certificates for the virtual host.
-    - path: /etc/ssl/private/certificates/localhost.crt
+    - path: /etc/ssl/private/certificates/localhost/fullchain.pem
      mode: 0644
      contents:
        inline: |
@ -220,7 +220,7 @@ storage:
          D2VKHadJ4I7seMAgANBFG4NQEUIUlUxGwUc6tZ3pr93dFWkfE+IxE6YBg5Xkuux4
          eAu/TcqROsjnQwQ9Qw4d2FA1C27JIvS6ysOJxJQmVtpZUdfK2hVoeKJvMPnkENOp
          -----END CERTIFICATE-----
-    - path: /etc/ssl/private/certificates/localhost.key
+    - path: /etc/ssl/private/certificates/localhost/privkey.pem
      mode: 0644
      contents:
        inline: |
--- a/service/coturn/container/config/turnserver.conf.template
+++ b/service/coturn/container/config/turnserver.conf.template
@ -444,14 +444,14 @@ realm=${COTURN_REALM}
 # Use an absolute path or path relative to the
 # configuration file.
 #
-cert=/etc/ssl/private/certificates/${COTURN_REALM}.crt
+cert=/etc/ssl/private/certificates/${COTURN_REALM}/fullchain.pem

 # Private key file.
 # Use an absolute path or path relative to the
 # configuration file.
 # Use PEM file format.
 #
-pkey=/etc/ssl/private/certificates/${COTURN_REALM}.key
+pkey=/etc/ssl/private/certificates/${COTURN_REALM}/privkey.pem

 # Private key file password, if it is in encoded format.
 # This option has no default value.
--- a/service/coturn/quadlet/coturn.container
+++ b/service/coturn/quadlet/coturn.container
@ -19,7 +19,7 @@ PublishPort=5350:5350
 PublishPort=5350:5350/udp
 PodmanArgs=--publish ${COTURN_RELAY_PORT_MIN}-${COTURN_RELAY_PORT_MAX}:${COTURN_RELAY_PORT_MIN}-${COTURN_RELAY_PORT_MAX}/udp --sdnotify=healthy
 Volume=%N:/var/lib/%N:z
-Volume=letsencrypt:/etc/ssl/private:z,ro
+Volume=letsencrypt-certificates:/etc/ssl/private:z,ro

 [Service]
 EnvironmentFile=%E/coreos-home-server/%N/%N.env
--- a/service/dovecot/container/config/dovecot.conf.template
+++ b/service/dovecot/container/config/dovecot.conf.template
@ -82,8 +82,8 @@ ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 ssl_prefer_server_ciphers = no

-ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}.crt
-ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}.key
+ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}/fullchain.pem
+ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}/privkey.pem

 protocol imap {
 	mail_max_userip_connections = 25
--- a/service/dovecot/quadlet/dovecot.container
+++ b/service/dovecot/quadlet/dovecot.container
@ -18,7 +18,7 @@ PublishPort=143:143
 PublishPort=993:993
 PublishPort=4190:4190
 Volume=%N:/var/mail:z
-Volume=letsencrypt:/etc/ssl/private:z,ro
+Volume=letsencrypt-certificates:/etc/ssl/private:z,ro

 [Service]
 ExecReload=/bin/podman exec %N doveadm -v reload
--- a/service/letsencrypt/container/run-hook
+++ b/service/letsencrypt/container/run-hook
@ -4,5 +4,5 @@ set -eu

 # Copy certificates to dedicated directory.
 install --owner letsencrypt --group letsencrypt --mode 0755 -d "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN"
-install --owner letsencrypt --group letsencrypt --mode 0644 "$LEGO_CERT_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/cert.pem"
-install --owner letsencrypt --group letsencrypt --mode 0640 "$LEGO_CERT_KEY_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/cert.key"
+install --owner letsencrypt --group letsencrypt --mode 0644 "$LEGO_CERT_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/fullchain.pem"
+install --owner letsencrypt --group letsencrypt --mode 0640 "$LEGO_CERT_KEY_PATH" "/var/lib/letsencrypt-certificates/$LEGO_CERT_DOMAIN/privkey.pem"
--- a/service/nginx/quadlet/nginx.container
+++ b/service/nginx/quadlet/nginx.container
@ -13,7 +13,7 @@ PodmanArgs=--sdnotify=healthy
 PublishPort=80:80
 PublishPort=443:443
 Volume=nginx-conf:/etc/nginx/conf.d:z
-Volume=letsencrypt:/etc/ssl/private:z,rshared,ro
+Volume=letsencrypt-certificates:/etc/ssl/private:z,rshared,ro

 [Service]
 Restart=on-failure
--- a/service/nginx/service/nginx-proxy-http.conf.template
+++ b/service/nginx/service/nginx-proxy-http.conf.template
@ -8,8 +8,8 @@ server {
    listen 443 ssl;
    server_name ${SERVER_NAME} ${SERVER_NAME_ALT};

-    ssl_certificate     /etc/ssl/private/certificates/${SSL_CERT_NAME}.crt;
-    ssl_certificate_key /etc/ssl/private/certificates/${SSL_CERT_NAME}.key;
+    ssl_certificate     /etc/ssl/private/certificates/${SSL_CERT_NAME}/fullchain.pem;
+    ssl_certificate_key /etc/ssl/private/certificates/${SSL_CERT_NAME}/privkey.pem;

    include resolver.conf;
    set $upstream_endpoint http://${UPSTREAM_HOST}:${UPSTREAM_PORT}${UPSTREAM_PATH};
--- a/service/postfix/container/config/main.cf.template
+++ b/service/postfix/container/config/main.cf.template
@ -202,6 +202,6 @@ tls_ssl_options = no_ticket, no_compression
 tls_preempt_cipherlist = no

 # Certificate file location.
-smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt
-smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.key
+smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}/fullchain.pem
+smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}/privkey.pem
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
--- a/service/postfix/quadlet/postfix.container
+++ b/service/postfix/quadlet/postfix.container
@ -15,7 +15,7 @@ PublishPort=465:465
 PublishPort=587:587
 Network=internal
 Volume=dovecot:/var/mail:z
-Volume=letsencrypt:/etc/ssl/private:z,ro
+Volume=letsencrypt-certificates:/etc/ssl/private:z,ro

 [Service]
 ExecReload=/bin/podman exec %N postfix reload
--- a/service/prosody/quadlet/prosody.container
+++ b/service/prosody/quadlet/prosody.container
@ -17,7 +17,7 @@ PublishPort=5269:5269
 PublishPort=5347:5347
 Volume=%N:/var/lib/%N:z
 Volume=prosody-conf:/etc/%N/conf.d:z
-Volume=letsencrypt:/etc/ssl/private:z
+Volume=letsencrypt-certificates:/etc/ssl/private:z,ro

 [Service]
 ExecReload=/bin/podman exec %N prosodyctl shell config reload