Commit Graph

13 Commits

Author SHA1 Message Date
Eelco Dolstra
b0ccd6dd16
Revert "nixos/doc: re-format"
This reverts commit ea6e8775bd. The new
format is not an improvement.
2019-09-19 19:17:30 +02:00
Jan Tojnar
ea6e8775bd
nixos/doc: re-format 2019-09-18 22:13:35 +02:00
Arian van Putten
604b7c139f Fix letsencrypt (#60219)
* nixos/acme: Fix ordering of cert requests

When subsequent certificates would be added, they would
not wake up nginx correctly due to target units only being triggered
once. We now added more fine-grained systemd dependencies to make sure
nginx always is aware of new certificates and doesn't restart too early
resulting in a crash.

Furthermore, the acme module has been refactored. Mostly to get
rid of the deprecated PermissionStartOnly systemd options which were
deprecated. Below is a summary of changes made.

* Use SERVICE_RESULT to determine status
This was added in systemd v232. we don't have to keep track
of the EXITCODE ourselves anymore.

* Add regression test for requesting mutliple domains

* Deprecate 'directory' option
We now use systemd's StateDirectory option to manage
create and permissions of the acme state directory.

* The webroot is created using a systemd.tmpfiles.rules rule
instead of the preStart script.

* Depend on certs directly

By getting rid of the target units, we make sure ordering
is correct in the case that you add new certs after already
having deployed some.

Reason it broke before:  acme-certificates.target would
be in active state, and if you then add a new cert, it
would still be active and hence nginx would restart
without even requesting a new cert. Not good!  We
make the dependencies more fine-grained now. this should fix that

* Remove activationDelay option

It complicated the code a lot, and is rather arbitrary. What if
your activation script takes more than activationDelay seconds?

Instead, one should use systemd dependencies to make sure some
action happens before setting the certificate live.

e.g. If you want to wait until your cert is published in DNS DANE /
TLSA, you could create a unit that blocks until it appears in DNS:

```
RequiredBy=acme-${cert}.service
After=acme-${cert}.service
ExecStart=publish-wait-for-dns-script
```
2019-08-29 16:32:59 +02:00
Graham Christensen
8413f22bb3
docs: format 2018-09-29 20:51:11 -04:00
Graham Christensen
34d2ec7c09
nixos docs: give IDs to things 2018-09-01 16:20:49 -04:00
Reuben D'Netto
42a84598fb Added cross-references to NixOS manual 2018-04-12 09:39:14 +10:00
Chris Martin
0581038e8e nixos/acme: remove doc note about restarting nginx
Discussion from #30945 indicates that it is no longer true that you have
to restart nginx.
2017-10-30 13:51:35 -04:00
teh
a878365b77 nixos docs: update for Nginx + ACME (#21320)
Closes #20698.
2017-01-09 06:39:10 +01:00
Domen Kožar
75f131da02 acme: ensure nginx challenges directory is writeable 2016-11-29 15:56:01 +01:00
Domen Kožar
41c490b75e acme: we do want to support ipv4 afterall 2016-10-21 13:25:11 +02:00
Domen Kožar
d8f21b3ca3 acme: provide full nginx example
(cherry picked from commit 2af7382f76a6523f1220637b3ec49ad25a02b040)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-10-21 13:19:04 +02:00
Bob van der Linden
4e6697dcb6 acme: added option security.acme.preliminarySelfsigned (#15562) 2016-06-01 11:39:46 +01:00
Franz Pletz
1685b9d06e nixos/acme: Add module documentation 2015-12-12 16:06:53 +01:00