982c5a1f0e
- Use an acme user and group, allow group override only - Use hashes to determine when certs actually need to regenerate - Avoid running lego more than necessary - Harden permissions - Support "systemctl clean" for cert regeneration - Support reuse of keys between some configuration changes - Permissions fix services solves for previously root owned certs - Add a note about multiple account creation and emails - Migrate extraDomains to a list - Deprecate user option - Use minica for self-signed certs - Rewrite all tests I thought of a few more cases where things may go wrong, and added tests to cover them. In particular, the web server reload services were depending on the target - which stays alive, meaning that the renewal timer wouldn't be triggering a reload and old certs would stay on the web servers. I encountered some problems ensuring that the reload took place without accidently triggering it as part of the test. The sync commands I added ended up being essential and I'm not sure why, it seems like either node.succeed ends too early or there's an oddity of the vm's filesystem I'm not aware of. - Fix duplicate systemd rules on reload services Since useACMEHost is not unique to every vhost, if one cert was reused many times it would create duplicate entries in ${server}-config-reload.service for wants, before and ConditionPathExists |
||
---|---|---|
.. | ||
wrappers | ||
acme.nix | ||
acme.xml | ||
apparmor-suid.nix | ||
apparmor.nix | ||
audit.nix | ||
auditd.nix | ||
ca.nix | ||
chromium-suid-sandbox.nix | ||
dhparams.nix | ||
doas.nix | ||
duosec.nix | ||
google_oslogin.nix | ||
hidepid.nix | ||
hidepid.xml | ||
lock-kernel-modules.nix | ||
misc.nix | ||
oath.nix | ||
pam.nix | ||
pam_mount.nix | ||
pam_usb.nix | ||
polkit.nix | ||
rngd.nix | ||
rtkit.nix | ||
sudo.nix | ||
systemd-confinement.nix | ||
tpm2.nix |