3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/nixos/modules/security
Arian van Putten 604b7c139f Fix letsencrypt (#60219)
* nixos/acme: Fix ordering of cert requests

When subsequent certificates would be added, they would
not wake up nginx correctly due to target units only being triggered
once. We now added more fine-grained systemd dependencies to make sure
nginx always is aware of new certificates and doesn't restart too early
resulting in a crash.

Furthermore, the acme module has been refactored. Mostly to get
rid of the deprecated PermissionStartOnly systemd options which were
deprecated. Below is a summary of changes made.

* Use SERVICE_RESULT to determine status
This was added in systemd v232. we don't have to keep track
of the EXITCODE ourselves anymore.

* Add regression test for requesting mutliple domains

* Deprecate 'directory' option
We now use systemd's StateDirectory option to manage
create and permissions of the acme state directory.

* The webroot is created using a systemd.tmpfiles.rules rule
instead of the preStart script.

* Depend on certs directly

By getting rid of the target units, we make sure ordering
is correct in the case that you add new certs after already
having deployed some.

Reason it broke before:  acme-certificates.target would
be in active state, and if you then add a new cert, it
would still be active and hence nginx would restart
without even requesting a new cert. Not good!  We
make the dependencies more fine-grained now. this should fix that

* Remove activationDelay option

It complicated the code a lot, and is rather arbitrary. What if
your activation script takes more than activationDelay seconds?

Instead, one should use systemd dependencies to make sure some
action happens before setting the certificate live.

e.g. If you want to wait until your cert is published in DNS DANE /
TLSA, you could create a unit that blocks until it appears in DNS:

```
RequiredBy=acme-${cert}.service
After=acme-${cert}.service
ExecStart=publish-wait-for-dns-script
```
2019-08-29 16:32:59 +02:00
..
wrappers nixos/wrappers: remove outdated upgrade code 2018-10-21 15:12:36 +02:00
acme.nix Fix letsencrypt (#60219) 2019-08-29 16:32:59 +02:00
acme.xml Fix letsencrypt (#60219) 2019-08-29 16:32:59 +02:00
apparmor-suid.nix apparmor-suid: don't force glibc 2018-10-30 19:50:47 -05:00
apparmor.nix nixos/apparmor: ensure that apparmor is selected at boot 2019-05-11 18:21:38 +02:00
audit.nix
auditd.nix
ca.nix nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
chromium-suid-sandbox.nix
dhparams.nix dhparams module: add self as maintainer 2018-10-31 01:05:35 +09:00
duosec.nix nixos/security: make duo support secure failure correctly 2019-03-17 18:25:20 -07:00
google_oslogin.nix config.security.googleOsLogin: add module 2018-12-21 17:52:37 +01:00
hidepid.nix [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
hidepid.xml docs: format 2018-09-29 20:51:11 -04:00
lock-kernel-modules.nix nixos/lock-kernel-modules: add myself to maintainers 2018-10-15 01:33:30 +02:00
misc.nix nixos/hardened: make pti=on overridable 2019-07-30 02:24:56 +02:00
oath.nix [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
pam.nix nixos/pam: Add GNOME keyring use_authtok directive to password group 2019-04-14 09:50:22 -04:00
pam_mount.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
pam_usb.nix [bot] treewide: remove unused 'inherit' in let blocks 2018-07-20 19:38:19 +00:00
polkit.nix nixos/polkit: use tmpfiles to clean old dirs 2018-09-30 11:08:11 -07:00
prey.nix
rngd.nix rngd: harden service config, from arch 2019-05-07 22:53:09 -05:00
rtkit.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
sudo.nix nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
systemd-confinement.nix nixos/confinement: Use PrivateMounts option 2019-03-27 20:34:32 +01:00