Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 12c9003b0208
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: c98a006c7eea
Choose a head ref
  • 14 commits
  • 19 files changed
  • 10 contributors

Commits on Oct 20, 2019

  1. boulder: init at release-2019-10-13

    @adisbladis @flokli
    adisbladis authored and flokli committed Oct 20, 2019

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    77a4c15 View commit details

  2. simp_le: 0.9.0 -> 0.16.0

    @picnoir @flokli
    picnoir authored and flokli committed Oct 20, 2019
    Copy the full SHA
    071d181 View commit details

Commits on Oct 23, 2019

  1. pebble: init at 2.2.2

    @picnoir
    picnoir committed Oct 23, 2019
    Copy the full SHA
    6ac0e34 View commit details

  2. certbot: 0.31.0 -> 0.39.0 

    Updating:

- nixos module to use the new `account_reg.json` file.
- use nixpkgs pebble for integration tests.

Co-authored-by: Florian Klink <flokli@flokli.de>

Replace certbot-embedded pebble
    @picnoir
    picnoir committed Oct 23, 2019
    Copy the full SHA
    38e8415 View commit details

  3. nixos/tests/letsencrypt: use Pebble instead of Boulder 

    Let's encrypt bumped ACME to V2. We need to update our nixos test to
be compatible with this new protocol version.

We decided to drop the Boulder ACME server in favor of the more
integration test friendly Pebble.

- overriding cacert not necessary
- this avoids rebuilding lots of packages needlessly
- nixos/tests/acme: use pebble's ca for client tests
- pebble always generates its own ca which has to be fetched

TODO: write proper commit msg :)
    @picnoir @flokli
    picnoir authored and flokli committed Oct 23, 2019
    Copy the full SHA
    0c0af28 View commit details

  4. handbrake: fix missing audio 

    We build HandBrake with a newer ffmpeg than upstream expects,
triggering a problem where the audio samplerate defaults to zero
because HandBrake was not explicitly setting it.

This has been fixed in HandBrake upstream, but we must cherry pick
this change in order to produce videos with audio until HandBrake
1.3.0 is released.
    @acowley
    acowley committed Oct 23, 2019
    Copy the full SHA
    d51e366 View commit details

Commits on Oct 24, 2019

  1. arion: init at 0.1.0.0

    @roberth
    roberth committed Oct 24, 2019
    Copy the full SHA
    d3913c8 View commit details

  2. mkvtoolnix: 37.0.0 -> 38.0.0 (#71696) 

    Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/mkvtoolnix/versions
    @r-ryantm @c0bw3b
    r-ryantm authored and c0bw3b committed Oct 24, 2019
    Copy the full SHA
    a5c6103 View commit details

  3. open-vm-tools: ignore deprecation warnings 

    Fixes #71311
    @worldofpeace
    worldofpeace committed Oct 24, 2019
    Copy the full SHA
    8f3297f View commit details

  4. python37Packages.mysql-connector: 8.0.17 -> 8.0.18

    @primeos
    primeos committed Oct 24, 2019
    Copy the full SHA
    d87b8ec View commit details

  5. micronaut: 1.2.3 -> 1.2.5 (#71697) 

    * micronaut: 1.2.3 -> 1.2.5

Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/micronaut/versions

* micronaut: keep description short

and run pre+post hooks when overriding install phase
    @r-ryantm @c0bw3b
    r-ryantm authored and c0bw3b committed Oct 24, 2019
    Copy the full SHA
    f9b717e View commit details

  6. Merge pull request #71291 from NinjaTrappeur/nin-update-acme 

    simp_le: 0.9.0 -> 0.16.0
    @flokli
    flokli authored Oct 24, 2019
    Copy the full SHA
    dc84a7d View commit details

  7. Merge pull request #71092 from roberth/arion-init 

    arion: init at 0.1.0.0
    @roberth
    roberth authored Oct 24, 2019
    Copy the full SHA
    becfba9 View commit details

  8. Merge pull request #71851 from acowley/handbrake-samplerate 

    handbrake: fix missing audio
    @wmertens
    wmertens authored Oct 24, 2019
    Copy the full SHA
    c98a006 View commit details
9 changes: 7 additions & 2 deletions nixos/modules/security/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -69,9 +69,9 @@ let
plugins = mkOption {
type = types.listOf (types.enum [
"cert.der" "cert.pem" "chain.pem" "external.sh"
"fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
"fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "account_reg.json"
]);
default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ];
description = ''
Plugins to enable. With default settings simp_le will
store public certificate bundle in <filename>fullchain.pem</filename>,
@@ -203,6 +203,11 @@ in
description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
# simp_le uses requests, which uses certifi under the hood,
# which doesn't respect the system trust store.
# At least in the acme test, we provision a fake CA, impersonating the LE endpoint.
# REQUESTS_CA_BUNDLE is a way to teach python requests to use something else
environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";
serviceConfig = {
Type = "oneshot";
SuccessExitStatus = [ "0" "1" ];
18 changes: 13 additions & 5 deletions nixos/tests/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -80,7 +80,7 @@ in import ./make-test.nix {
client = commonConfig;
};

testScript = {nodes, ...}:
testScript = {nodes, ...}:
let
newServerSystem = nodes.webserver2.config.system.build.toplevel;
switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test";
@@ -91,25 +91,33 @@ in import ./make-test.nix {
# get pulled in by the oneshot units. The target units linger after activation, and hence we
# can use them to probe that a oneshot fired. It is a bit ugly, but it is the best we can do
''
$client->waitForUnit("default.target");
$client->start;
$letsencrypt->start;
$acmeStandalone->start;
$letsencrypt->waitForUnit("default.target");
$letsencrypt->waitForUnit("boulder.service");
$letsencrypt->waitForUnit("pebble.service");
subtest "can request certificate with HTTPS-01 challenge", sub {
$acmeStandalone->waitForUnit("default.target");
$acmeStandalone->succeed("systemctl start acme-standalone.com.service");
$acmeStandalone->waitForUnit("acme-finished-standalone.com.target");
};
$client->waitForUnit("default.target");
$client->succeed('curl https://acme-v02.api.letsencrypt.org:15000/roots/0 > /tmp/ca.crt');
$client->succeed('curl https://acme-v02.api.letsencrypt.org:15000/intermediate-keys/0 >> /tmp/ca.crt');
subtest "Can request certificate for nginx service", sub {
$webserver->waitForUnit("acme-finished-a.example.com.target");
$client->succeed('curl https://a.example.com/ | grep -qF "hello world"');
$client->succeed('curl --cacert /tmp/ca.crt https://a.example.com/ | grep -qF "hello world"');
};
subtest "Can add another certificate for nginx service", sub {
$webserver->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test");
$webserver->waitForUnit("acme-finished-b.example.com.target");
$client->succeed('curl https://b.example.com/ | grep -qF "hello world"');
$client->succeed('curl --cacert /tmp/ca.crt https://b.example.com/ | grep -qF "hello world"');
};
'';
}
25 changes: 25 additions & 0 deletions nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
From c3b4004386074342d22cab5e129c1f7e623f4272 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr>
Date: Mon, 21 Oct 2019 10:56:13 +0200
Subject: [PATCH] Change ACME directory endpoint to /directory

---
wfe/wfe.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wfe/wfe.go b/wfe/wfe.go
index e24797f..10d29fb 100644
--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@@ -39,7 +39,7 @@ const (
// Note: We deliberately pick endpoint paths that differ from Boulder to
// exercise clients processing of the /directory response
// We export the DirectoryPath so that the pebble binary can reference it
- DirectoryPath = "/dir"
+ DirectoryPath = "/directory"
noncePath = "/nonce-plz"
newAccountPath = "/sign-me-up"
acctPath = "/my-account/"
--
2.23.0

26 changes: 4 additions & 22 deletions nixos/tests/common/letsencrypt/common.nix
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,9 @@
{ lib, nodes, ... }: {
{ lib, nodes, pkgs, ... }: let
letsencrypt-ca = nodes.letsencrypt.config.test-support.letsencrypt.caCert;
in {
networking.nameservers = [
nodes.letsencrypt.config.networking.primaryIPAddress
];

nixpkgs.overlays = lib.singleton (self: super: {
cacert = super.cacert.overrideDerivation (drv: {
installPhase = (drv.installPhase or "") + ''
cat "${nodes.letsencrypt.config.test-support.letsencrypt.caCert}" \
>> "$out/etc/ssl/certs/ca-bundle.crt"
'';
});

# Override certifi so that it accepts fake certificate for Let's Encrypt
# Need to override the attribute used by simp_le, which is python3Packages
python3Packages = (super.python3.override {
packageOverrides = lib.const (pysuper: {
certifi = pysuper.certifi.overridePythonAttrs (attrs: {
postPatch = (attrs.postPatch or "") + ''
cat "${self.cacert}/etc/ssl/certs/ca-bundle.crt" \
> certifi/cacert.pem
'';
});
});
}).pkgs;
});
security.pki.certificateFiles = [ letsencrypt-ca ];
}
Loading