Commit graph

241630 commits

Author SHA1 Message Date
Lucas Savva
1b6cfd9796
nixos/acme: Fix race condition, dont be smart with keys
Attempting to reuse keys on a basis different to the cert (AKA,
storing the key in a directory with a hashed name different to
the cert it is associated with) was ineffective since when
"lego run" is used it will ALWAYS generate a new key. This causes
issues when you revert changes since your "reused" key will not
be the one associated with the old cert. As such, I tore out the
whole keyDir implementation.

As for the race condition, checking the mtime of the cert file
was not sufficient to detect changes. In testing, selfsigned
and full certs could be generated/installed within 1 second of
each other. cmp is now used instead.

Also, I removed the nginx/httpd reload waiters in favour of
simple retry logic for the curl-based tests
2020-09-04 01:09:43 +01:00
Lucas Savva
61dbf4bf89
nixos/acme: Add proper nginx/httpd config reload checks
Testing of certs failed randomly when the web server was still
returning old certs even after the reload was "complete". This was
because the reload commands send process signals and do not wait
for the worker processes to restart. This commit adds log watchers
which wait for the worker processes to be restarted.
2020-09-02 19:25:30 +01:00
Lucas Savva
982c5a1f0e
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests

I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.

I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.

- Fix duplicate systemd rules on reload services

Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
2020-09-02 19:22:43 +01:00
Frederik Rietdijk
6ab387699a python3Packages.credstash: fix build 2020-08-31 17:18:27 +02:00
Daniël de Kok
365cf6444f
Merge pull request #96716 from r-ryantm/auto-update/shotwell
shotwell: 0.31.1 -> 0.31.2
2020-08-31 17:13:29 +02:00
R. RyanTM
8778d362bc owncloud-client: 2.5.4.11654 -> 2.6.3.14058 2020-08-31 17:11:38 +02:00
R. RyanTM
889e72b852 cloudflared: 2020.5.1 -> 2020.6.1 2020-08-31 17:11:19 +02:00
R. RyanTM
6c47cb6797 swig4: 4.0.1 -> 4.0.2 2020-08-31 17:10:48 +02:00
R. RyanTM
2fd3e018e4 hsqldb: 2.5.0 -> 2.5.1 2020-08-31 17:10:23 +02:00
R. RyanTM
23e7cb92d0 seafile-shared: 7.0.7 -> 7.0.8 2020-08-31 17:10:05 +02:00
R. RyanTM
c5a2f3a514 qastools: 0.22.0 -> 0.23.0 2020-08-31 17:09:48 +02:00
R. RyanTM
43114a1751 wxmaxima: 20.04.0 -> 20.06.6 2020-08-31 17:09:33 +02:00
Daniël de Kok
d7cfc33fb8
Merge pull request #96739 from r-ryantm/auto-update/vultr
vultr: 2.0.1 -> 2.0.2
2020-08-31 17:08:07 +02:00
R. RyanTM
73cff3d2c2 R: 4.0.0 -> 4.0.2 2020-08-31 16:57:06 +02:00
R. RyanTM
714297d519 reiser4progs: 2.0.0 -> 2.0.1 2020-08-31 16:56:28 +02:00
R. RyanTM
45782da7af synthv1: 0.9.14 -> 0.9.15 2020-08-31 16:56:10 +02:00
R. RyanTM
1889287e2c rdkafka: 1.4.2 -> 1.4.4 2020-08-31 16:55:50 +02:00
R. RyanTM
d5bcf3c985 vcstool: 0.2.7 -> 0.2.9 2020-08-31 16:55:31 +02:00
R. RyanTM
06517f3d10 lombok: 1.18.10 -> 1.18.12 2020-08-31 16:55:08 +02:00
R. RyanTM
18146948e0 tixati: 2.73 -> 2.74 2020-08-31 16:54:46 +02:00
R. RyanTM
c2dd047bfb fldigi: 4.1.13 -> 4.1.14 2020-08-31 16:54:20 +02:00
R. RyanTM
049aeb738b libaacs: 0.10.0 -> 0.11.0 2020-08-31 16:54:01 +02:00
R. RyanTM
604ba08483 fmit: 1.2.13 -> 1.2.14 2020-08-31 16:53:37 +02:00
R. RyanTM
1f79f65521 vassal: 3.2.17 -> 3.3.2 2020-08-31 16:53:23 +02:00
R. RyanTM
2102dedc0d ckbcomp: 1.195 -> 1.196 2020-08-31 16:52:57 +02:00
R. RyanTM
6efcb72ac1 aspellDicts.pt_BR: 20090702-0 -> 20131030-12-0 2020-08-31 16:52:36 +02:00
R. RyanTM
78b3da115b aspellDicts.pt_PT: 20070510-0 -> 20190329-1-0 2020-08-31 16:52:18 +02:00
R. RyanTM
293d913f27 ethash: 0.4.4 -> 0.5.2 2020-08-31 16:51:51 +02:00
R. RyanTM
47dec21cac qsynth: 0.6.2 -> 0.6.3 2020-08-31 16:51:31 +02:00
Frederik Rietdijk
90e5341240
Merge pull request #94598 from kampka/kops
kops_1_18: init at 1.18.0
2020-08-31 16:50:46 +02:00
Ryan Mulligan
3f49732ca9
Merge pull request #96757 from r-ryantm/auto-update/yubikey-manager-qt
yubikey-manager-qt: 1.1.4 -> 1.1.5
2020-08-31 07:33:46 -07:00
Vladimír Čunát
0e58393738
luajit*: update to address CVE-2020-24372
/cc roundup issues: #96821, #96828.

The diff upstream is fairly small, so let me trust Mike Pall on this.
Both versions get a pair of commits that seem to address the CVE
https://github.com/LuaJIT/LuaJIT/issues/603
and 2.1 additionally gets one other small commit.
2020-08-31 16:31:12 +02:00
Michele Guerini Rocco
9379f9350d
Merge pull request #96661 from matthiasbeyer/update-mutt
mutt: 1.14.6 -> 1.14.7
2020-08-31 16:20:28 +02:00
Silvan Mosberger
911497988f
Merge pull request #95536 from Infinisil/inputDerivation
mkDerivation: Introduce .inputDerivation for shell.nix build convenience
2020-08-31 15:46:41 +02:00
Ryan Mulligan
db79e3ee10
Merge pull request #96583 from r-ryantm/auto-update/renoise
renoise: 3.2.1 -> 3.2.2
2020-08-31 06:22:41 -07:00
Ryan Mulligan
2e33d0a264
Merge pull request #96203 from r-ryantm/auto-update/visualvm
visualvm: 2.0.3 -> 2.0.4
2020-08-31 06:19:03 -07:00
Tim Steinbach
416987cfff
oh-my-zsh: Fix update script 2020-08-31 09:15:47 -04:00
Tim Steinbach
f076cd769d
Merge pull request #96532 from flokli/ohmyzsh-cleanups
oh-my-zsh: cleanups, don't require perl in pygmalion theme anymore
2020-08-31 09:10:44 -04:00
Maximilian Bosch
873a77680a
Merge pull request #96700 from stigtsp/fix/packer-1.6.2-hash-mismatch
packer: fix hash mismatch
2020-08-31 15:10:13 +02:00
Tim Steinbach
c23a404cb6
Remove fetchpatch 2020-08-31 09:08:49 -04:00
Peter Hoeg
d761d68cd3
Merge pull request #96645 from NixOS/u/puddletag
puddletag: 1.2.0 -> 2.0.1
2020-08-31 21:07:56 +08:00
Tim Steinbach
63a726d847
Merge branch 'master' into ohmyzsh-cleanups 2020-08-31 08:57:43 -04:00
Tim Steinbach
1b0186928d
oh-my-zsh: 2020-08-24 -> 2020-08-28 2020-08-31 08:30:45 -04:00
Tim Steinbach
5fa49dc8b0
linux/hardened/patches/5.7: 5.7.17.a -> 5.7.19.a 2020-08-31 08:29:07 -04:00
Tim Steinbach
69274cf2d0
linux/hardened/patches/5.4: 5.4.60.a -> 5.4.61.a 2020-08-31 08:29:05 -04:00
Tim Steinbach
3b39d531ad
linux/hardened/patches/4.19: 4.19.141.a -> 4.19.142.a 2020-08-31 08:29:03 -04:00
Tim Steinbach
5ef4bad431
linux/hardened/patches/4.14: 4.14.194.a -> 4.14.195.a 2020-08-31 08:29:01 -04:00
Tim Steinbach
019338373a
linux: 5.8.4 -> 5.8.5 2020-08-31 08:28:41 -04:00
Tim Steinbach
4684bb9311
linux: 5.7.18 -> 5.7.19 2020-08-31 08:28:23 -04:00
sternenseemann
b6ea4f4065 ocamlPackages.mirage-stack: 2.0.1 → 2.1.0 2020-08-31 14:08:13 +02:00