mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-10-22 11:54:30 -04:00
982c5a1f0e
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests
I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.
I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.
- Fix duplicate systemd rules on reload services
Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
|
||
|---|---|---|
| .. | ||
| wrappers | ||
| acme.nix | ||
| acme.xml | ||
| apparmor-suid.nix | ||
| apparmor.nix | ||
| audit.nix | ||
| auditd.nix | ||
| ca.nix | ||
| chromium-suid-sandbox.nix | ||
| dhparams.nix | ||
| doas.nix | ||
| duosec.nix | ||
| google_oslogin.nix | ||
| hidepid.nix | ||
| hidepid.xml | ||
| lock-kernel-modules.nix | ||
| misc.nix | ||
| oath.nix | ||
| pam.nix | ||
| pam_mount.nix | ||
| pam_usb.nix | ||
| polkit.nix | ||
| rngd.nix | ||
| rtkit.nix | ||
| sudo.nix | ||
| systemd-confinement.nix | ||
| tpm2.nix | ||