README
¶
caddy-tlsfirestore
What is this?
A Caddy module that uses Google firestore for storing TLS certificates instead of the local file system.
Why is this?
I needed it for falsifiable. I wanted users to have ownership over their content. That demands that they own the addressing. If you don't want to allow insecure connections, this requires TLS. Caddy does most of that ACME heavy lifting. The only thing missing (for me) was more secure secret storage on Google Cloud.
I toyed with using Google Secrets Manager for storing all the certificates. But distributed locking is easier with transactions than it is with bad secrets manager kludges.
Following the lead of caddy-tlsconsul, All certificates are encrypted using AES in GCM.
The stored value is prefixed with the randomly sampled nonce. Technically, this is
bad nonce. But, a 12 byte nonce for such a small set of objects is very unlikely to
have collision problems.
Unlike caddy-tls you cannot opt out of encryption. Also, since I don't like storing
secrets in environmental variables or configuration files, you can choose to use
Google Secrets Manager for the encryption key.
Credits
Inspired by j0hnsmith's caddy-tlsclouddatastore
which was inspired by pteich's caddy-tlsconsul.
Documentation
¶
Index ¶
- Constants
- func IsDocNotFound(err error) bool
- func UTCNow() time.Time
- type Record
- type Storage
- func (s *Storage) CaddyModule() caddy.ModuleInfo
- func (s *Storage) CertMagicStorage() (certmagic.Storage, error)
- func (s *Storage) Delete(key string) error
- func (s *Storage) Exists(key string) bool
- func (s *Storage) List(prefix string, recursive bool) ([]string, error)
- func (s *Storage) Load(key string) ([]byte, error)
- func (s *Storage) Lock(ctx context.Context, key string) error
- func (s *Storage) Provision(ctx caddy.Context) error
- func (s *Storage) Stat(key string) (certmagic.KeyInfo, error)
- func (s *Storage) Store(key string, value []byte) error
- func (s *Storage) Unlock(key string) error
- func (s *Storage) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
Constants ¶
const ( EnvNameProjectId = "CADDY_CLUSTERING_PROJECT_ID" EnvNameAesKeySecretId = "CADDY_CLUSTERING_AES_KEY_SECRET_ID" EnvNameAesKey = "CADDY_CLUSTERING_AESKEY_BASE64" )
const ( DefaultCollection = "certmagic" // The certmagic/filestorage.go uses a 1 second polling interval. // I'm using that as the minimum, but making it take up to 5 seconds // (uniformly distributed) because firestore has to do network // traversal and I'm not sure how transaction contention will // impact things. DefaultMinPollSeconds = 1 DefaultMaxPollSeconds = 5 // How often to update the lock's timestamp. Locks older than this // can be considered stale (e.g. failed process). Five seconds // is okay for as ingle document. The maximum sustained write rate // according to the firestore quotas is 1 per second. DefaultFreshnessIntervalSeconds = 5 )
Variables ¶
This section is empty.
Functions ¶
func IsDocNotFound ¶
Types ¶
type Storage ¶
type Storage struct {
ProjectId string `json:"project_id"`
Collection string `json:"collection"`
AESKeySecretId string `json:"aes_key_secret_id"`
MinPollSeconds int `json:"min_lock_poll_seconds"`
MaxPollSeconds int `json:"max_lock_poll_seconds"`
FreshnessSeconds int `json:"lock_freshness_seconds"`
AesKey []byte `json:"aes_key"`
certmagic.Storage
// contains filtered or unexported fields
}
Storage uses Firestore for a backend.
func (*Storage) CaddyModule ¶
func (s *Storage) CaddyModule() caddy.ModuleInfo
Source Files