commit 2c111ce34333b05b3a893195c34952c9b994022c · pyrox.dev/nixpkgs

+3

nixos/doc/manual/redirects.json

···

       1468
        
         "module-security-acme-fix-jws": [

     

       1469
        
           "index.html#module-security-acme-fix-jws"

     

       1470
        
         ],

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       1471
        
         "module-programs-zsh-ohmyzsh": [

     

       1472
        
           "index.html#module-programs-zsh-ohmyzsh"

     

       1473
        
         ],

···

       1468
        
         "module-security-acme-fix-jws": [

     

       1469
        
           "index.html#module-security-acme-fix-jws"

     

       1470
        
         ],

     

       1471
       +
         "module-security-acme-reload-dependencies": [

     

       1472
       +
           "index.html#module-security-acme-reload-dependencies"

     

       1473
       +
         ],

     

       1474
        
         "module-programs-zsh-ohmyzsh": [

     

       1475
        
           "index.html#module-programs-zsh-ohmyzsh"

     

       1476
        
         ],

+15

nixos/doc/manual/release-notes/rl-2511.section.md

···

       165
        
       

     

       166
        
       - `services.gitea` supports sending notifications with sendmail again. To do this, activate the parameter `services.gitea.mailerUseSendmail` and configure SMTP server.

     

       167
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       168
        
       - `libvirt` now supports using `nftables` backend.

     

       169
        
       

     

       170
        
       - `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively.

···

165

166

- `services.gitea` supports sending notifications with sendmail again. To do this, activate the parameter `services.gitea.mailerUseSendmail` and configure SMTP server.

167

168
+
- Revamp of the ACME certificate acquisication and renewal process to help scale systems with lots (100+) of certificates.

169
+

170
+
Units and targets have been reshaped to better support more specific dependency propagation and avoid

171
+
superfluously triggering unchanged units:

172
+

173
+
If a service requires a syntactically valid certificate to start it should now depend on the `acme-{certname}.service` unit.

174
+

175
+
We now always generate initial self-signed certificates as this drastically simplifies the dependency structure. As a result, the option `security.acme.preliminarySelfsigned` has been removed.

176
+

177
+
Instead of the previous `acme-finished-{certname}.target`s there are now `acme-order-renew-{certname}.service`s that will be activated

178
+
in a delayed fashion to ensure that bootstrapping with servers like nginx that take part in the acquisition/renewal process works

179
+
smoothly. Dependencies on `acme-finished` units should move to `acme-order-renew`.

180
+

181
+
Note that system activation will complete before all certificates may have been renewed or acquired.

182
+

183

- `libvirt` now supports using `nftables` backend.

184

185

- `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively.

+8

nixos/modules/security/acme/default.md

···

       376
        
       # Note: Do this for all certs that share the same account email address

     

       377
        
       systemctl start acme-example.com.service

     

       378
        
       ```

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

···

       376
        
       # Note: Do this for all certs that share the same account email address

     

       377
        
       systemctl start acme-example.com.service

     

       378
        
       ```

     

       379
       +
       

     

       380
       +
       ## Ensuring dependencies for services that need to be reloaded when a certificate challenges {#module-security-acme-reload-dependencies}

     

       381
       +
       

     

       382
       +
       Services that depend on ACME certificates and need to be reloaded can use one of two approaches to reload upon successfull certificate acquisition or renewal:

     

       383
       +
       

     

       384
       +
       1. **Using the `security.acme.certs.<name>.reloadServices` option**: This will cause `systemctl try-reload-or-restart` to be run for the listed services.

     

       385
       +
       

     

       386
       +
       2. **Using a separate reload unit**: if you need perform more complex actions you can implement a separate reload unit but need to ensure that it lists the `acme-renew-<name>.service` unit both as `wantedBy` AND `after`. See the nginx module implementation with its `nginx-config-reload` service.