Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 181974248e25
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 0f2565d51822
Choose a head ref
  • 3 commits
  • 2 files changed
  • 3 contributors

Commits on Feb 29, 2020

  1. nixos/acme: adjust renewal timer options 

    The current weekly setting causes every NixOS server to try to renew
its certificate at midnight on the dot on Monday. This contributes to
the general problem of periodic load spikes for Let's Encrypt; NixOS
is probably not a major contributor to that problem, but we can lead by
example by picking good defaults here.

The values here were chosen after consulting with @yuriks, an SRE at
Let's Encrypt:

* Randomize the time certificates are renewed within a 24 hour period.

* Check for renewal every 24 hours, to ensure the certificate is always
  renewed before an expiry notice is sent out.

* Increase the AccuracySec (thus lowering the accuracy(!)), so that
  systemd can coalesce the renewal with other timers being run.

  (You might be worried that this would defeat the purpose of the time
  skewing, but systemd is documented as avoiding this by picking a
  random time.)

(cherry picked from commit 7b14bbd)
    @emilazy
    emilazy committed Feb 29, 2020
    Copy the full SHA
    f2c522a View commit details

Commits on Mar 2, 2020

  1. xfce.xfdashbooard: fix typo 

    (cherry picked from commit e0a2f0f)
    @worldofpeace
    conferno authored and worldofpeace committed Mar 2, 2020
    Copy the full SHA
    2e4a4b9 View commit details

Commits on Mar 3, 2020

  1. Merge pull request #80857 from emilazy/adjust-acme-20.03 

    [20.03] nixos/acme: adjust renewal timer options
    @lukateras
    lukateras authored Mar 3, 2020
    Copy the full SHA
    0f2565d View commit details
Showing with 16 additions and 5 deletions.
  1. +15 −4 nixos/modules/security/acme.nix
  2. +1 −1 pkgs/desktops/xfce/default.nix
19 changes: 15 additions & 4 deletions nixos/modules/security/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -174,7 +174,7 @@ in

renewInterval = mkOption {
type = types.str;
default = "weekly";
default = "daily";
description = ''
Systemd calendar expression when to check for renewal. See
<citerefentry><refentrytitle>systemd.time</refentrytitle>
@@ -399,7 +399,17 @@ in
systemd.tmpfiles.rules =
map (data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}") (filter (data: data.webroot != null) (attrValues cfg.certs));

systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
systemd.timers = let
# Allow systemd to pick a convenient time within the day
# to run the check.
# This allows the coalescing of multiple timer jobs.
# We divide by the number of certificates so that if you
# have many certificates, the renewals are distributed over
# the course of the day to avoid rate limits.
numCerts = length (attrNames cfg.certs);
_24hSecs = 60 * 60 * 24;
AccuracySec = "${toString (_24hSecs / numCerts)}s";
in flip mapAttrs' cfg.certs (cert: data: nameValuePair
("acme-${cert}")
({
description = "Renew ACME Certificate for ${cert}";
@@ -408,8 +418,9 @@ in
OnCalendar = cfg.renewInterval;
Unit = "acme-${cert}.service";
Persistent = "yes";
AccuracySec = "5m";
RandomizedDelaySec = "1h";
inherit AccuracySec;
# Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
RandomizedDelaySec = "24h";
};
})
);
2 changes: 1 addition & 1 deletion pkgs/desktops/xfce/default.nix
View file
Original file line number Diff line number Diff line change
@@ -78,7 +78,7 @@ lib.makeScope pkgs.newScope (self: with self; {
inherit (pkgs.gnome3) libsoup;
};

xfdashbooard = callPackage ./applications/xfdashboard {};
xfdashboard = callPackage ./applications/xfdashboard {};

# TODO: this repo is inactive for many years. Remove?
xfce4-volumed = callPackage ./applications/xfce4-volumed { };