nixos/acme: execute a single lego command #91042
Conversation
|
cc @maralorn |
I must say though that I am not a fan of my own work here. We are introducing new dependencies on @m1cr0man: you introduced the change to Lego. Was Lego the only choice for what we need in NixOS? |
Stop trying to execute `lego renew` if that is not necessary. Fix NixOS#86184.
There was a problem hiding this comment.
Hi datafoo! This is a nice solution, using openssl makes sense and probably doesn't hurt to make it a dependency. It's inevitable that it would be needed on a system using the acme module in the first place.
As for whether lego was the only choice, and why I chose it. Initially, my PR was based on another PR that used lego and that had received sufficient reviews and discussion to justify the selection of lego, and I certainly wasn't familiar enough with any other client to convince people otherwise. I simply continued the implementation and got it merged, having had it in production for a couple months beforehand.
However, I have been working on an update to the acme module as a whole.. I've been delayed just by being busy at work, but it does address this issue along with many, many others. I'll open a WIP PR now, which I should've done ages ago, and you can decide if you want to merge this PR regardless. If I don't get my work finished, this should definitely be added.
|
I think this PR is an improvement as well - let's merge it 👍 |
|
The acme update mentioned is here #91121. |
|
Is it good to merge then? |
|
Yeah go for it! :) |
I believe I do not have such permission on this repo. |
Ah, yes 😅 someone should be able to do it today for you. |
|
@GrahamcOfBorg test acme |
|
Merging entirely based on discussion. |
Motivation for this change
See #86184.
This implementation follows the workaround indicated go-acme/lego#693 (comment).
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)