pyrox.dev
+3
nixos/doc/manual/redirects.json
+3
nixos/doc/manual/redirects.json
···
+15
nixos/doc/manual/release-notes/rl-2511.section.md
+15
nixos/doc/manual/release-notes/rl-2511.section.md
···- `services.gitea` supports sending notifications with sendmail again. To do this, activate the parameter `services.gitea.mailerUseSendmail` and configure SMTP server.+- Revamp of the ACME certificate acquisication and renewal process to help scale systems with lots (100+) of certificates.+Units and targets have been reshaped to better support more specific dependency propagation and avoid+If a service requires a syntactically valid certificate to start it should now depend on the `acme-{certname}.service` unit.+We now always generate initial self-signed certificates as this drastically simplifies the dependency structure. As a result, the option `security.acme.preliminarySelfsigned` has been removed.+Instead of the previous `acme-finished-{certname}.target`s there are now `acme-order-renew-{certname}.service`s that will be activated+in a delayed fashion to ensure that bootstrapping with servers like nginx that take part in the acquisition/renewal process works+Note that system activation will complete before all certificates may have been renewed or acquired.- The `virtualisation.libvirtd.firewallBackend` option can be used to configure the firewall backend used by libvirtd.
+9
-1
nixos/modules/security/acme/default.md
+9
-1
nixos/modules/security/acme/default.md
······+## Ensuring dependencies for services that need to be reloaded when a certificate challenges {#module-security-acme-reload-dependencies}+Services that depend on ACME certificates and need to be reloaded can use one of two approaches to reload upon successfull certificate acquisition or renewal:+1. **Using the `security.acme.certs.<name>.reloadServices` option**: This will cause `systemctl try-reload-or-restart` to be run for the listed services.+2. **Using a separate reload unit**: if you need perform more complex actions you can implement a separate reload unit but need to ensure that it lists the `acme-renew-<name>.service` unit both as `wantedBy` AND `after`. See the nginx module implementation with its `nginx-config-reload` service.
+164
-189
nixos/modules/security/acme/default.nix
+164
-189
nixos/modules/security/acme/default.nix
···-# Assign elements of `baseList` to each element of `needAssignmentList`, until the latter is exhausted.······-selfsignedDeps = lib.optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];···certificateKey = if data.csrKey != null then "${data.csrKey}" else "certificates/${keyName}.key";······-script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") ''--domains ${lib.escapeShellArg (builtins.concatStringsSep "," ([ data.domain ] ++ extraDomains))}+# Ensure the webroot exists. Fixing group is required in case configuration was changed between runs.+echo 'Please ensure ${data.webroot}/.well-known/acme-challenge exists and is writable by acme:${data.group}' \···-script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") ''···-# Ensure the webroot exists. Fixing group is required in case configuration was changed between runs.-echo 'Please ensure ${data.webroot}/.well-known/acme-challenge exists and is writable by acme:${data.group}' \if cmp -s domainhash.txt certificates/domainhash.txt && [ -e '${certificateKey}' ] && [ -e 'certificates/${keyName}.crt' ] && [ -n "$(find accounts -name '${data.email}.key')" ]; then···-${lib.optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}············"ACME Directory is now hardcoded to /var/lib/acme and its permissions are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info."-"This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal"+"This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service and Before=acme-\${cert}.service to the service you want to execute before the cert renewal"-"This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal"+"This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service and Before=acme-\${cert}.service to the service you want to execute before the cert renewal"+"This option has been removed. Preliminary self-signed certificates are now always generated to simplify the dependency structure."·········
+1
-1
nixos/modules/services/networking/doh-server.nix
+1
-1
nixos/modules/services/networking/doh-server.nix
···
+7
-10
nixos/modules/services/web-servers/apache-httpd/default.nix
+7
-10
nixos/modules/services/web-servers/apache-httpd/default.nix
···-dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server-independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server···-++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa···
+4
-9
nixos/modules/services/web-servers/caddy/default.nix
+4
-9
nixos/modules/services/web-servers/caddy/default.nix
···-dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server-independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server······-++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa
+5
-8
nixos/modules/services/web-servers/h2o/default.nix
+5
-8
nixos/modules/services/web-servers/h2o/default.nix
···-wants = lib.concatLists (map (certName: [ "acme-finished-${certName}.target" ]) acmeCertNames.all);-++ builtins.map (certName: "acme-${certName}.service") acmeCertNames.independent; # avoid loading self-signed key w/ real cert, or vice-versa···
+12
-17
nixos/modules/services/web-servers/nginx/default.nix
+12
-17
nixos/modules/services/web-servers/nginx/default.nix
···-dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server-independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server······-++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa···+sslOrderRenewServices = map (certName: "acme-order-renew-${certName}.service") vhostCertNames;
+5
-7
nixos/modules/services/web-servers/pomerium.nix
+5
-7
nixos/modules/services/web-servers/pomerium.nix
······
+9
-18
nixos/tests/acme/caddy.nix
+9
-18
nixos/tests/acme/caddy.nix
···
+18
-4
nixos/tests/acme/default.nix
+18
-4
nixos/tests/acme/default.nix
·········
+68
-7
nixos/tests/acme/http01-builtin.nix
+68
-7
nixos/tests/acme/http01-builtin.nix
······builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")···builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")builtin.succeed("test $(ls -1 /var/lib/acme/.lego/accounts | tee /dev/stderr | wc -l) -eq 2")
+33
-32
nixos/tests/acme/python-utils.py
+33
-32
nixos/tests/acme/python-utils.py
············
+67
-22
nixos/tests/acme/webserver.nix
+67
-22
nixos/tests/acme/webserver.nix
·····················+webserver.wait_until_succeeds(f"journalctl --cursor-file=/tmp/cursor | grep 'Starting Order (and renew) ACME certificate for zeroconf3.{domain}...'")
+5
-4
nixos/tests/step-ca.nix
+5
-4
nixos/tests/step-ca.nix
···caserver.wait_until_succeeds("journalctl -o cat -u step-ca.service | grep '${pkgs.step-ca.version}'")