Commit Graph

32 Commits

Author SHA1 Message Date
Nikolay Amiantov
4fc0b4edca acme service: generate a CA for self-signed certificate
This is needed because simp_le expects two certificates in fullchain.pem, leading to error:

> Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1.

We now create a CA and sign the key with it instead, providing correct fullchain.pem.

Also cleanup service a bit -- use PATH and a private temporary directory (which
is more suitable).
2018-04-17 12:53:29 +03:00
Wout Mertens
527e97f333
acme module: update for simp_le v0.8
Hopefully fixes #37689
2018-03-24 17:43:32 +01:00
Robert Schütz
b5ecdfa977 nixos/acme: Fix xml (#34683) 2018-02-06 23:27:28 +00:00
Joachim Schiele
edeacd00ad security.acme: default name value via module system (#34388) 2018-02-06 21:08:57 +00:00
zimbatm
1276a3b12a
nixos/acme: configurable TOS hash (#33522)
This hash tends to change and upstream simp_le doesn't seem to keep up
with the changes.
2018-01-11 14:19:15 +00:00
Pierre-Etienne Meunier
538acd9060 ACME module: add server option (#31122) 2017-11-02 11:10:47 +01:00
Bjørn Forsman
6a55fda61e nixos/acme: improve documentation
* Use literalExample for better readability
* Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
2017-06-09 19:35:17 +02:00
Bjørn Forsman
7a0e958b97 nixos/acme: support "full.pem" (for lighttpd)
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates

Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
2017-06-09 19:35:17 +02:00
lassulus
fd7a8f1b91 nixos/security/acme: fix acme folder permissions 2017-05-11 18:49:26 +02:00
edanaher
e3559c23c2 acme: Add "domain" option to separate domain from name
Fixes #24731.
2017-04-11 18:28:05 +02:00
Niklas Hambüchen
ee0f3e7ad9 acme: Use chown -R for challenges directory. Fixes #24529.
Commit 75f131da02 added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.
2017-04-01 15:22:01 +02:00
Franz Pletz
fb50cde71e
nixos/treewide: systemd.time is in manvolume 7
cc #23396
2017-03-21 08:28:53 +01:00
Joachim F
6dbe55ca68 Merge pull request #20456 from ericsagnes/feat/loaf-dep-1
Use attrsOf in place of loaOf when relevant
2017-02-19 15:49:25 +01:00
Franz Pletz
516760a6fb
nixos/acme: add random delay to timer
This way we behave like good citizens and won't overload Let's Encrypt
with lots of cert renewal requests at the same time.
2017-01-25 19:15:04 +01:00
Domen Kožar
75f131da02 acme: ensure nginx challenges directory is writeable 2016-11-29 15:56:01 +01:00
Eric Sagnes
e5b7975fe3 acme module: certs option loaOf -> attrsOf 2016-11-16 16:28:27 +09:00
Ricardo M. Correia
1623476904 nixos.acme: make timer persistent
This makes sure that if the system was powered off when the timer was
supposed to trigger, it will run the next time the system boots up.
2016-10-03 19:31:42 +02:00
Eric Sagnes
3acf336f15 acme module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Alexander Ried
7f98dca782 security.acme: the client really needs networking
Actually this can be improved since the client only needs network
connectivity if it needs to renew the certificate.
2016-09-06 17:47:00 +02:00
Eric Sagnes
4cdfeb78f9 modules: move meta at top level 2016-08-11 00:29:48 +09:00
zimbatm
28fa4a2f03 Escape all shell arguments uniformly 2016-06-12 18:11:37 +01:00
Bob van der Linden
4e6697dcb6 acme: added option security.acme.preliminarySelfsigned (#15562) 2016-06-01 11:39:46 +01:00
Eelco Dolstra
0c5e837b66 acme.nix: Fix unit descriptions
Unit descriptions should be capitalized, and timer units don't have
to describe that they're timers.
2016-04-18 14:20:49 +02:00
tg(x)
629a89343e simp_le: external_pem.sh plugin is now called external.sh 2016-02-26 01:31:58 +01:00
Nikolay Amiantov
c420a6f1ef acme service: update plugins enum 2016-02-10 02:06:01 +03:00
Domen Kožar
7fe7138968 nixos: fix acme service @abbradar 2016-01-12 11:50:34 +01:00
Nikolay Amiantov
f92cec4c1b nixos/acme: add allowKeysForGroup 2016-01-10 07:28:19 +03:00
Nikolay Amiantov
5250582396 nixos/acme: fix timer unit 2015-12-13 17:01:59 +03:00
Franz Pletz
1685b9d06e nixos/acme: Add module documentation 2015-12-12 16:06:53 +01:00
Franz Pletz
9374ddb895 nixos/acme: validMin & renewInterval aren't cert-specific 2015-12-12 16:06:53 +01:00
Franz Pletz
0517d59a66 nixos/acme: Improve documentation 2015-12-12 16:06:52 +01:00
Franz Pletz
de24b00d41 nixos/simp_le: Rename to security.acme 2015-12-12 16:06:52 +01:00