Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: aad81ec8cd15
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 992035cff0fe
Choose a head ref
  • 3 commits
  • 4 files changed
  • 2 contributors

Commits on Oct 30, 2019

  1. nixos/modules/security/acme.nix: add server option 

    Add a new option permitting to point certbot to an ACME Directory
Resource URI other than Let's Encrypt production/staging one.

In the meantime, we are deprecating the now useless Let's Encrypt
production flag.
    @picnoir
    picnoir committed Oct 30, 2019
    Copy the full SHA
    5671fa2 View commit details

  2. nixos/tests/acme.nix: remove pebble custom endpoint patch 

    The recent custom endpoint addition allows us to directly point
certbot to the custom Pebble directory endpoint.

Thanks to that, we can ditch the Pebble patch we were using so far;
making this test maintenance easier.
    @picnoir
    picnoir committed Oct 30, 2019
    Copy the full SHA
    781f0cf View commit details

  3. Merge pull request #72007 from NinjaTrappeur/nin-acme-custom-dir-uri 

    nixos/acme: Custom ACME endpoint
    @flokli
    flokli authored Oct 30, 2019
    Copy the full SHA
    992035c View commit details
46 changes: 30 additions & 16 deletions nixos/modules/security/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -20,6 +20,16 @@ let
'';
};

server = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
ACME Directory Resource URI. Defaults to let's encrypt
production endpoint,
https://acme-v02.api.letsencrypt.org/directory, if unset.
'';
};

domain = mkOption {
type = types.str;
default = name;
@@ -109,7 +119,15 @@ in
{

###### interface

imports = [
(mkRemovedOptionModule [ "security" "acme" "production" ] ''
Use security.acme.server to define your staging ACME server URL instead.
To use the let's encrypt staging server, use security.acme.server =
"https://acme-staging-v02.api.letsencrypt.org/directory".
''
)
];
options = {
security.acme = {

@@ -129,6 +147,16 @@ in
'';
};

server = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
ACME Directory Resource URI. Defaults to let's encrypt
production endpoint,
<literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset.
'';
};

preliminarySelfsigned = mkOption {
type = types.bool;
default = true;
@@ -142,20 +170,6 @@ in
'';
};

production = mkOption {
type = types.bool;
default = true;
description = ''
If set to true, use Let's Encrypt's production environment
instead of the staging environment. The main benefit of the
staging environment is to get much higher rate limits.
See
<literal>https://letsencrypt.org/docs/staging-environment</literal>
for more detail.
'';
};

certs = mkOption {
default = { };
type = with types; attrsOf (submodule certOpts);
@@ -198,7 +212,7 @@ in
++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)
++ optionals (!cfg.production) ["--server" "https://acme-staging-v02.api.letsencrypt.org/directory"];
++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
acmeService = {
description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" "network-online.target" ];
9 changes: 7 additions & 2 deletions nixos/tests/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -12,8 +12,11 @@ in import ./make-test.nix {
networking.extraHosts = ''
${config.networking.primaryIPAddress} standalone.com
'';
security.acme.certs."standalone.com" = {
webroot = "/var/lib/acme/acme-challenges";
security.acme = {
server = "https://acme-v02.api.letsencrypt.org/dir";
certs."standalone.com" = {
webroot = "/var/lib/acme/acme-challenges";
};
};
systemd.targets."acme-finished-standalone.com" = {};
systemd.services."acme-standalone.com" = {
@@ -54,6 +57,8 @@ in import ./make-test.nix {
'';
};

security.acme.server = "https://acme-v02.api.letsencrypt.org/dir";

nesting.clone = [
({pkgs, ...}: {

25 changes: 0 additions & 25 deletions nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch
View file

This file was deleted.

12 changes: 1 addition & 11 deletions nixos/tests/common/letsencrypt/default.nix
View file
Original file line number Diff line number Diff line change
@@ -62,17 +62,7 @@ let
siteDomain = "letsencrypt.org";
siteCertFile = snakeOilCerts.${siteDomain}.cert;
siteKeyFile = snakeOilCerts.${siteDomain}.key;
pebble = pkgs.pebble.overrideAttrs (attrs: {
# The pebble directory endpoint is /dir when the bouder (official
# ACME server) is /directory. Sadly, this endpoint is hardcoded,
# we have to patch it.
#
# Tried to upstream, that said upstream maintainers rather keep
# this custom endpoint to test ACME clients robustness. See
# https://github.com/letsencrypt/pebble/issues/283#issuecomment-545123242
patches = [ ./0001-Change-ACME-directory-endpoint-to-directory.patch ];
});

pebble = pkgs.pebble;
resolver = let
message = "You need to define a resolver for the letsencrypt test module.";
firstNS = lib.head config.networking.nameservers;