pyrox.dev
+14
nixos/doc/manual/release-notes/rl-2009.xml
+14
nixos/doc/manual/release-notes/rl-2009.xml
···
+408
-229
nixos/modules/security/acme.nix
+408
-229
nixos/modules/security/acme.nix
···+for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do+after = [ "network.target" "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps;+# Needs to be space separated, but can't use a multiline string because that'll include newlines+if [ -e certificates/domainhash.txt ] && cmp -s domainhash.txt certificates/domainhash.txt; then·········-(mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")-(mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")-(mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")-(mkChangedOptionModule [ "security" "acme" "validMin"] [ "security" "acme" "validMinDays"] (config: config.security.acme.validMin / (24 * 3600)))······+(mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")+(mkRemovedOptionModule [ "security" "acme" "preDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")+(mkRemovedOptionModule [ "security" "acme" "activationDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")+(mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))+warnings = filter (w: w != "") (mapAttrsToList (cert: data: if data.extraDomains != "_mkMergedOptionModule" then ''···-++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ])-++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]-EXISTING_DOMAINS="$(openssl x509 -in ${spath}/certificates/${keyName}.crt -noout -ext subjectAltName | tail -n1 | sed -e 's/ *DNS://g')"+The option definition `security.acme.certs.${cert}.user' no longer has any effect; Please remove it.+The option definition `security.acme.certs.${cert}.allowKeysForGroup' no longer has any effect; Please remove it.+} // (mapAttrs' (cert: conf: nameValuePair "acme-selfsigned-${cert}" conf.selfsignService) certConfigs)));+systemd.timers = mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewTimer) certConfigs;+] ++ (optional (conf.webroot != null) "d ${conf.webroot}/.well-known/acme-challenge - acme ${conf.group}")-++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; }-map (data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}") (filter (data: data.webroot != null) (attrValues cfg.certs));
+16
-4
nixos/modules/security/acme.xml
+16
-4
nixos/modules/security/acme.xml
···-# All serverAliases will be added as <link linkend="opt-security.acme.certs._name_.extraDomains">extra domains</link> on the certificate.+# All serverAliases will be added as <link linkend="opt-security.acme.certs._name_.extraDomainNames">extra domain names</link> on the certificate.<link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "bar.example.com" ];<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www";···-<link linkend="opt-security.acme.certs._name_.extraDomains">security.acme.certs."foo.example.com".extraDomains."baz.example.com"</link> = null;+<link linkend="opt-security.acme.certs._name_.extraDomainNames">security.acme.certs."foo.example.com".extraDomainNames</link> = [ "baz.example.com" ];<link linkend="opt-services.nginx.virtualHosts._name_.useACMEHost">useACMEHost</link> = "foo.example.com";···-<link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains</link> = [ "mail.example.com" ];+<link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> = [ "mail.example.com" ];···
+2
-3
nixos/modules/services/networking/prosody.xml
+2
-3
nixos/modules/services/networking/prosody.xml
···+<link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> module option.Provided the setup detailed in the previous section, you'll need the following acme configuration to generate···<link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/example.org";-<link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains."conference.example.org"</link> = null;-<link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains."upload.example.org"</link> = null;+<link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> = [ "conference.example.org" "upload.example.org" ];
+55
-22
nixos/modules/services/web-servers/apache-httpd/default.nix
+55
-22
nixos/modules/services/web-servers/apache-httpd/default.nix
·········-else if hostOpts.useACMEHost != null then config.security.acme.certs.${hostOpts.useACMEHost}.directory······+email = mkOverride 2000 (if hostOpts.adminAddr != null then hostOpts.adminAddr else cfg.adminAddr);···-wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME);-after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME;+wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) dependentCertNames);+after = [ "network.target" ] ++ map (certName: "acme-selfsigned-${certName}.service") dependentCertNames;···+unitConfig.ConditionPathExists = map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames;
+46
-42
nixos/modules/services/web-servers/nginx/default.nix
+46
-42
nixos/modules/services/web-servers/nginx/default.nix
···-acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs;+acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME || vhostConfig.useACMEHost != null) vhostsConfigs;···-wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts);-after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts;+wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) dependentCertNames);+after = [ "network.target" ] ++ map (certName: "acme-selfsigned-${certName}.service") dependentCertNames;···+unitConfig.ConditionPathExists = optionals (sslServices != []) (map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames);
+231
-135
nixos/tests/acme.nix
+231
-135
nixos/tests/acme.nix
···-${curl}/bin/curl --data '{"host": "'"$2"'", "value": "'"$3"'"}' http://${dnsAddress}:8055/set-txt+${pkgs.curl}/bin/curl --data '{"host": "'"$2"'", "value": "'"$3"'"}' http://${dnsAddress}:8055/set-txt···-EXEC_PATH=${dnsScript { inherit writeScript bash curl; dnsAddress = nodes.dnsserver.config.networking.primaryIPAddress; }}······# Note, wait_for_unit does not work for oneshot services that do not have RemainAfterExit=true,-'curl --data \'{"host": "acme.test", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a'-'curl --data \'{"host": "standalone.test", "addresses": ["${nodes.acmeStandalone.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a'+'curl --data \'{"host": "acme.test", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'
+5
-6
nixos/tests/common/acme/client/default.nix
+5
-6
nixos/tests/common/acme/client/default.nix
···
+38
-34
nixos/tests/common/acme/server/default.nix
+38
-34
nixos/tests/common/acme/server/default.nix
···············
-69
nixos/tests/common/acme/server/mkcerts.nix
-69
nixos/tests/common/acme/server/mkcerts.nix
···
-6
nixos/tests/common/acme/server/mkcerts.sh
-6
nixos/tests/common/acme/server/mkcerts.sh
+36
-171
nixos/tests/common/acme/server/snakeoil-certs.nix
+36
-171
nixos/tests/common/acme/server/snakeoil-certs.nix
···
-3
nixos/tests/postfix-raise-smtpd-tls-security-level.nix
-3
nixos/tests/postfix-raise-smtpd-tls-security-level.nix
+7
-6
nixos/tests/postfix.nix
+7
-6
nixos/tests/postfix.nix
··················
+34
pkgs/tools/security/minica/default.nix
+34
pkgs/tools/security/minica/default.nix
···
+2
pkgs/top-level/all-packages.nix
+2
pkgs/top-level/all-packages.nix
···