commit 2c111ce34333b05b3a893195c34952c9b994022c · pyrox.dev/nixpkgs

+3

nixos/doc/manual/redirects.json

···

       1468
       1468
        
         "module-security-acme-fix-jws": [

     

       1469
       1469
        
           "index.html#module-security-acme-fix-jws"

     

       1470
       1470
        
         ],

     

       1471
       1471
       +
         "module-security-acme-reload-dependencies": [

     

       1472
       1472
       +
           "index.html#module-security-acme-reload-dependencies"

     

       1473
       1473
       +
         ],

     

       1471
       1474
        
         "module-programs-zsh-ohmyzsh": [

     

       1472
       1475
        
           "index.html#module-programs-zsh-ohmyzsh"

     

       1473
       1476
        
         ],

+15

nixos/doc/manual/release-notes/rl-2511.section.md

···

       165
       165
        
       

     

       166
       166
        
       - `services.gitea` supports sending notifications with sendmail again. To do this, activate the parameter `services.gitea.mailerUseSendmail` and configure SMTP server.

     

       167
       167
        
       

     

       168
       168
       +
       - Revamp of the ACME certificate acquisication and renewal process to help scale systems with lots (100+) of certificates.

     

       169
       169
       +
       

     

       170
       170
       +
         Units and targets have been reshaped to better support more specific dependency propagation and avoid

     

       171
       171
       +
         superfluously triggering unchanged units:

     

       172
       172
       +
       

     

       173
       173
       +
         If a service requires a syntactically valid certificate to start it should now depend on the `acme-{certname}.service` unit.

     

       174
       174
       +
       

     

       175
       175
       +
         We now always generate initial self-signed certificates as this drastically simplifies the dependency structure. As a result, the option `security.acme.preliminarySelfsigned` has been removed.

     

       176
       176
       +
       

     

       177
       177
       +
         Instead of the previous `acme-finished-{certname}.target`s there are now `acme-order-renew-{certname}.service`s that will be activated

     

       178
       178
       +
         in a delayed fashion to ensure that bootstrapping with servers like nginx that take part in the acquisition/renewal process works

     

       179
       179
       +
         smoothly. Dependencies on `acme-finished` units should move to `acme-order-renew`.

     

       180
       180
       +
       

     

       181
       181
       +
         Note that system activation will complete before all certificates may have been renewed or acquired.

     

       182
       182
       +
       

     

       168
       183
        
       - `libvirt` now supports using `nftables` backend.

     

       169
       184
        
       

     

       170
       185
        
       - `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively.

+8

nixos/modules/security/acme/default.md

···

       376
       376
        
       # Note: Do this for all certs that share the same account email address

     

       377
       377
        
       systemctl start acme-example.com.service

     

       378
       378
        
       ```

     

       379
       379
       +
       

     

       380
       380
       +
       ## Ensuring dependencies for services that need to be reloaded when a certificate challenges {#module-security-acme-reload-dependencies}

     

       381
       381
       +
       

     

       382
       382
       +
       Services that depend on ACME certificates and need to be reloaded can use one of two approaches to reload upon successfull certificate acquisition or renewal:

     

       383
       383
       +
       

     

       384
       384
       +
       1. **Using the `security.acme.certs.<name>.reloadServices` option**: This will cause `systemctl try-reload-or-restart` to be run for the listed services.

     

       385
       385
       +
       

     

       386
       386
       +
       2. **Using a separate reload unit**: if you need perform more complex actions you can implement a separate reload unit but need to ensure that it lists the `acme-renew-<name>.service` unit both as `wantedBy` AND `after`. See the nginx module implementation with its `nginx-config-reload` service.