3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/tools/security/minica/default.nix
Lucas Savva 982c5a1f0e
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests

I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.

I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.

- Fix duplicate systemd rules on reload services

Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
2020-09-02 19:22:43 +01:00

35 lines
968 B
Nix

{ lib, buildGoPackage, fetchFromGitHub }:
buildGoPackage rec {
pname = "minica";
version = "1.0.2";
goPackagePath = "github.com/jsha/minica";
src = fetchFromGitHub {
owner = "jsha";
repo = "minica";
rev = "v${version}";
sha256 = "18518wp3dcjhf3mdkg5iwxqr3326n6jwcnqhyibphnb2a58ap7ny";
};
buildFlagsArray = ''
-ldflags=
-X main.BuildVersion=${version}
'';
meta = with lib; {
description = "A simple tool for generating self signed certificates.";
longDescription = ''
Minica is a simple CA intended for use in situations where the CA
operator also operates each host where a certificate will be used. It
automatically generates both a key and a certificate when asked to
produce a certificate.
'';
homepage = "https://github.com/jsha/minica/";
license = licenses.mit;
maintainers = with maintainers; [ m1cr0man ];
platforms = platforms.linux ++ platforms.darwin;
};
}