Commit Graph

512 Commits

Author SHA1 Message Date
Lucas Savva
47da7aafdf
nixos/acme: update documentation 2020-04-29 20:31:17 +01:00
Dominik Xaver Hörl
c10d82358f treewide: add types to boolean / enable options or make use of mkEnableOption 2020-04-27 09:32:01 +02:00
worldofpeace
996ae856b6
Merge pull request #85365 from immae/fix_acme_postrun
nixos/acme: Fix postRun in acme certificate being ran at every run
2020-04-18 13:16:16 -04:00
Ismaël Bouya
8e88b8dce2
nixos/acme: Fix postRun in acme certificate being ran at every run 2020-04-17 22:16:50 +02:00
Arian van Putten
5c1c642939 Revert "nixos/acme: Fix allowKeysForGroup not applying immediately"
This reverts commit 5532065d06.

As far as I can tell setting RemainAfterExit=true here completely breaks
certificate renewal, which is really bad!

the sytemd timer will activate the service unit every OnCalendar=,
however with RemainAfterExit=true the service is already active! So the
timer doesn't rerun the service!

The commit also broke the actual tests, (As it broke activation too)
but this was fixed later in https://github.com/NixOS/nixpkgs/pull/76052
I wrongly assumed that PR fixed renewal too, which it didn't!

testing renewals is hard, as we need to sleep in tests.
2020-04-16 10:37:04 +02:00
Lucas Savva
827d5e6b44
acme: share accounts between certificates
There are strict rate limits on account creation for Let's Encrypt
certificates. It is important to reuse credentails when possible.
2020-04-14 00:15:16 +01:00
Jörg Thalheim
d7ff6ab94a
acme: create certificates in subdirectory
This allows to have multiple certificates with the same common name.
Lego uses in its internal directory the common name to name the certificate.

fixes #84409
2020-04-09 08:26:07 +01:00
Maximilian Bosch
1a5289f803
nixos/acme: don't depend on multi-user.target inside a container
On boot, a container doesn't have an uplink and would run into a timeout
while waiting for cert renewal[1].

[1] https://github.com/NixOS/nixpkgs/pull/81371#issuecomment-605526099
2020-03-29 19:59:52 +02:00
Aaron Andersen
6f0c1cdbd9 nixos/duosec: rename ikey option to integrationKey 2020-03-22 20:25:11 -04:00
Aaron Andersen
b9dca769f1 nixos/duosec: replace insecure skey option with secure secretKeyFile option 2020-03-22 20:23:55 -04:00
Aaron Andersen
4f9cea70bd nixos/duosec: fix indentation 2020-03-21 10:34:12 -04:00
Silvan Mosberger
7c3f3e9c51
Merge pull request #72029 from lschuermann/tpm2-module
nixos/tpm2: init
2020-03-15 15:47:06 +01:00
Leon Schuermann
156b879c2e nixos/tpm2: init
This commit adds udev rules, the userspace resource manager and
PKCS#11 module support.
2020-03-15 12:16:32 +01:00
Aaron Andersen
dbe59eca84 nixos/sshd: add authorizedKeysCommand and authorizedKeysCommandUser options 2020-03-12 21:00:12 -04:00
Silvan Mosberger
4f69262c19
Merge pull request #81369 from mweinelt/pr/acme-chmod
nixos/acme: apply chmod and ownership unconditionally
2020-03-07 03:24:46 +01:00
Yegor Timoshenko
c32da2ed9c nixos/acme: force symlink from fullchain.pem to cert.pem
Co-authored-by: emily <vcs@emily.moe>
2020-03-04 12:52:12 +03:00
Yegor Timoshenko
c16f2218da
Merge pull request #80900 from emilazy/acme-must-staple
nixos/acme: Must-Staple and extra flags
2020-03-03 03:57:40 +03:00
Yegor Timoshenko
31aefc74c5
Merge pull request #80856 from emilazy/adjust-acme
nixos/acme: adjust renewal timer options
2020-03-03 03:49:33 +03:00
Yegor Timoshenko
98cbc40570
Merge pull request #81371 from mweinelt/pr/acme-autostart
nixos/acme: renew after rebuild and on boot
2020-03-01 15:46:31 +03:00
worldofpeace
e906014d4b
Merge pull request #80920 from worldofpeace/rngd-cleanup-shutdown
nixos/rngd: fix clean shutdown
2020-03-01 11:44:22 +00:00
Martin Weinelt
3575555fa8
nixos/acme: apply chmod and ownership unconditionally
Also separate directory and file permissions so the certificate files
don't end up with the executable bit.

Fixes #81335
2020-02-29 20:17:14 +01:00
Emily
ffb7b984b2 nixos/acme: add extraLegoRenewFlags option 2020-02-29 16:44:04 +00:00
Emily
b522aeda5a nixos/acme: add ocspMustStaple option 2020-02-29 16:44:04 +00:00
Emily
7b14bbd734 nixos/acme: adjust renewal timer options
The current weekly setting causes every NixOS server to try to renew
its certificate at midnight on the dot on Monday. This contributes to
the general problem of periodic load spikes for Let's Encrypt; NixOS
is probably not a major contributor to that problem, but we can lead by
example by picking good defaults here.

The values here were chosen after consulting with @yuriks, an SRE at
Let's Encrypt:

* Randomize the time certificates are renewed within a 24 hour period.

* Check for renewal every 24 hours, to ensure the certificate is always
  renewed before an expiry notice is sent out.

* Increase the AccuracySec (thus lowering the accuracy(!)), so that
  systemd can coalesce the renewal with other timers being run.

  (You might be worried that this would defeat the purpose of the time
  skewing, but systemd is documented as avoiding this by picking a
  random time.)
2020-02-29 14:03:36 +00:00
Martin Weinelt
5ff9441471
nixos/acme: renew after rebuild and on boot
Fixes #81069
2020-02-29 14:40:34 +01:00
worldofpeace
fa76150235 nixos/rngd: fix clean shutdown
It seems disabling DefaultDependencies
removes these implicit dependencies [0] that
we needed for shutdown to happen cleanly.

Fixes #80871

[0]: https://www.freedesktop.org/software/systemd/man/systemd.service.html#Default%20Dependencies
2020-02-23 18:53:52 -05:00
Emily
8ecbd97f82 nixos/acme: move the crt to fullchain.pem
lego already bundles the chain with the certificate,[1] so the current
code, designed for simp_le, was resulting in duplicate certificate
chains, manifesting as "Chain issues: Incorrect order, Extra certs" on
the Qualys SSL Server Test.

cert.pem stays around as a symlink for backwards compatibility.

[1] 5cdc0002e9/acme/api/certificate.go (L40-L44)
2020-02-23 04:10:34 +00:00
Michele Guerini Rocco
48704fbd4f
Merge pull request #71302 from tokudan/encrypted-swap-entropy-fix
rngd: Start early during boot and encrypted swap entropy fix
2020-02-12 01:28:03 +01:00
Florian Klink
4e0fea3fe2 Merge pull request #77578 from m1cr0man/master
Replace simp-le with lego and support DNS-01 challenge
2020-02-10 11:47:30 +01:00
Silvan Mosberger
cb1f1b4260
nixos/sudo: Fix extraRules example rendering 2020-02-10 01:37:07 +01:00
Lucas Savva
75fa8027eb
nixos/acme: Update release note, remove redundant requires
Merge remote-tracking branch 'remotes/upstream/master'
2020-02-09 16:31:07 +00:00
Lucas Savva
636eb23157
nixos/acme: Fix b.example.com test 2020-02-09 11:34:17 +00:00
Lucas Savva
ac983cff48
nixos/acme: add dns-01 test, fix cert locating bug 2020-02-09 02:09:34 +00:00
Daniel Frank
d14ba1e1ad
security.rngd: start rngd during early boot to reduce entropy starvation due to encrypted swap and remove PrivateTmp to avoid a circular dependency 2020-02-08 12:29:13 +01:00
Lucas Savva
2181313c54
nixos/acme: simplify email resolve logic 2020-02-03 21:37:22 +00:00
Aaron Andersen
28c815e34b nixos/duosec: fix configuration issue with "groups" option 2020-01-30 14:16:17 -05:00
Lucas Savva
769fbf9254 nixos/acme: fix some descriptions, default acceptTerms to false 2020-01-19 18:24:04 +00:00
Lucas Savva
61665e3363 nixos/acme: ignore tmpfiles rules for null webroots 2020-01-15 09:17:11 +00:00
Lucas Savva
9467f2ba2c nixos/acme: Add logic to select right email address 2020-01-12 21:52:28 +00:00
Lucas Savva
1e3607d331 nixos/acme: replace simp-le with lego client
Lego allows users to use the DNS-01 challenge to validate their
certificates. It is mostly backwards compatible, with a few
caveats.

 - extraDomains can no longer have different webroots to the
   main webroot for the cert.
 - An email address is now mandatory for account creation

The following other changes were required:
 - Deprecate security.acme.certs.<name>.plugins, as this was
   specific to simp-le
 - Rename security.acme.validMin to validMinDays, to avoid
   confusion and errors. Lego requires the TTL to be specified in
   days
 - Add options to cover DNS challenge (dnsProvider,
   credentialsFile, dnsPropagationCheck)
 - A shared state directory is now used (/var/lib/acme/.lego)
   to avoid account creation rate limits and share credentials
   between certs
2020-01-12 21:28:53 +00:00
Jörg Thalheim
ff5ddd04f3
nixos/pam: cleanup services (#76885)
nixos/pam: cleanup services
2020-01-09 10:09:13 +00:00
rnhmjoj
1d61efb7f1 treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
Jörg Thalheim
9458ec4115
pam: remove unused ftp service
vsftpd is the only ftp server module and defines its own pam service.
2020-01-03 15:24:36 +00:00
Jörg Thalheim
2591fc7ede
pam: remove cups service
The cups module itself already defines this.
2020-01-03 15:24:34 +00:00
Jörg Thalheim
900aaa5a98
screen: move pam service to module 2020-01-03 15:24:32 +00:00
Ben Price
83972b80b4 nixos/acme: implement postRun using ExecStartPost
In 5532065d06, acme was changed to be
RemainAfterExit=true, but `postRun` commands are implemented as
`ExecStopPost`. Systemd now considers the service to be still running
after simp_le is finished, so won't run these commands (e.g. to reload
certificates in a webserver). Change `postRun` to use `ExecStartPost` to
ensure the commands are run in a timely manner.
2019-12-19 17:39:59 +00:00
worldofpeace
50295a1201
Merge pull request #75343 from worldofpeace/polkit-no-root-admin
nixos/polkit: remove root from adminIdentities
2019-12-10 20:24:23 -05:00
Silvan Mosberger
4ee3e8b21d
nixos/treewide: Move rename.nix imports to their respective modules
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
worldofpeace
efc1c027ad nixos/polkit: remove root from adminIdentities
Fixes https://github.com/NixOS/nixpkgs/issues/75075.

To summarize the report in the aforementioned issue, at a glance,
it's a different default than what upstream polkit has. Apparently
for 8+ years polkit defaults admin identities as members of
the wheel group [0]. This assumption would be appropriate on NixOS, where
every member of group 'wheel' is necessarily privileged.

[0]: 763faf434b
2019-12-09 19:11:09 -05:00
Silvan Mosberger
c482b65abe
nixos/acme: Fix allowKeysForGroup not applying immediately (#72056)
nixos/acme: Fix allowKeysForGroup not applying immediately
2019-11-13 23:51:34 +01:00