BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixpkgs-suyu/nixos/modules/security
History
Emily 7b14bbd734 nixos/acme: adjust renewal timer options 
The current weekly setting causes every NixOS server to try to renew
its certificate at midnight on the dot on Monday. This contributes to
the general problem of periodic load spikes for Let's Encrypt; NixOS
is probably not a major contributor to that problem, but we can lead by
example by picking good defaults here.

The values here were chosen after consulting with @yuriks, an SRE at
Let's Encrypt:

* Randomize the time certificates are renewed within a 24 hour period.

* Check for renewal every 24 hours, to ensure the certificate is always
  renewed before an expiry notice is sent out.

* Increase the AccuracySec (thus lowering the accuracy(!)), so that
  systemd can coalesce the renewal with other timers being run.

  (You might be worried that this would defeat the purpose of the time
  skewing, but systemd is documented as avoiding this by picking a
  random time.)
2020-02-29 14:03:36 +00:00
..
wrappers nixos/treewide: Move rename.nix imports to their respective modules 2019-12-10 02:51:19 +01:00
acme.nix nixos/acme: adjust renewal timer options 2020-02-29 14:03:36 +00:00
acme.xml nixos/acme: fix some descriptions, default acceptTerms to false 2020-01-19 18:24:04 +00:00
apparmor-suid.nix nixos/treewide: Move rename.nix imports to their respective modules 2019-12-10 02:51:19 +01:00
apparmor.nix nixos/apparmor: ensure that apparmor is selected at boot 2019-05-11 18:21:38 +02:00
audit.nix
auditd.nix auditd service: make more useful 2019-06-10 18:55:11 +03:00
ca.nix nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
chromium-suid-sandbox.nix nixos/treewide: Move rename.nix imports to their respective modules 2019-12-10 02:51:19 +01:00
dhparams.nix
duosec.nix nixos/duosec: fix configuration issue with "groups" option 2020-01-30 14:16:17 -05:00
google_oslogin.nix config.security.googleOsLogin: add module 2018-12-21 17:52:37 +01:00
hidepid.nix
hidepid.xml Revert "nixos/doc: re-format" 2019-09-19 19:17:30 +02:00
lock-kernel-modules.nix
misc.nix nixos/hardened: make pti=on overridable 2019-07-30 02:24:56 +02:00
oath.nix
pam.nix nixos/pam: cleanup services (#76885) 2020-01-09 10:09:13 +00:00
pam_mount.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
pam_usb.nix
polkit.nix nixos/polkit: remove root from adminIdentities 2019-12-09 19:11:09 -05:00
prey.nix treewide: remove redundant quotes 2019-08-26 21:40:19 +00:00
rngd.nix security.rngd: start rngd during early boot to reduce entropy starvation due to encrypted swap and remove PrivateTmp to avoid a circular dependency 2020-02-08 12:29:13 +01:00
rtkit.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
sudo.nix nixos/sudo: Fix extraRules example rendering 2020-02-10 01:37:07 +01:00
systemd-confinement.nix nixos/confinement: Use PrivateMounts option 2019-03-27 20:34:32 +01:00