Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: c37b4466c0fc
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: bd2c1d72c5a7
Choose a head ref
  • 8 commits
  • 2 files changed
  • 4 contributors

Commits on Feb 22, 2020

  1. haskell shellFor: Fix hoogle

    @Ericson2314
    Ericson2314 committed Feb 22, 2020
    Copy the full SHA
    1c07ee7 View commit details

  2. Merge remote-tracking branch 'upstream/master' into work-on-multi-she… 

    …llFor
    @Ericson2314
    Ericson2314 committed Feb 22, 2020
    Copy the full SHA
    196682b View commit details

Commits on Feb 29, 2020

  1. nixos/acme: adjust renewal timer options 

    The current weekly setting causes every NixOS server to try to renew
its certificate at midnight on the dot on Monday. This contributes to
the general problem of periodic load spikes for Let's Encrypt; NixOS
is probably not a major contributor to that problem, but we can lead by
example by picking good defaults here.

The values here were chosen after consulting with @yuriks, an SRE at
Let's Encrypt:

* Randomize the time certificates are renewed within a 24 hour period.

* Check for renewal every 24 hours, to ensure the certificate is always
  renewed before an expiry notice is sent out.

* Increase the AccuracySec (thus lowering the accuracy(!)), so that
  systemd can coalesce the renewal with other timers being run.

  (You might be worried that this would defeat the purpose of the time
  skewing, but systemd is documented as avoiding this by picking a
  random time.)
    @emilazy
    emilazy committed Feb 29, 2020
    Copy the full SHA
    7b14bbd View commit details

  2. nixos/acme: add ocspMustStaple option

    @emilazy
    emilazy committed Feb 29, 2020
    Copy the full SHA
    b522aed View commit details

  3. nixos/acme: add extraLegoRenewFlags option

    @emilazy
    emilazy committed Feb 29, 2020
    Copy the full SHA
    ffb7b98 View commit details

Commits on Mar 3, 2020

  1. Merge pull request #80856 from emilazy/adjust-acme 

    nixos/acme: adjust renewal timer options
    @lukateras
    lukateras authored Mar 3, 2020
    Copy the full SHA
    31aefc7 View commit details

  2. Merge pull request #80900 from emilazy/acme-must-staple 

    nixos/acme: Must-Staple and extra flags
    @lukateras
    lukateras authored Mar 3, 2020
    Copy the full SHA
    c16f221 View commit details

  3. Merge pull request #80845 from obsidiansystems/work-on-multi-shellFor 

    haskell shellFor: Fix hoogle
    @cdepillabout
    cdepillabout authored Mar 3, 2020
    Copy the full SHA
    bd2c1d7 View commit details
Showing with 45 additions and 10 deletions.
  1. +41 −6 nixos/modules/security/acme.nix
  2. +4 −4 pkgs/development/haskell-modules/make-package-set.nix
47 changes: 41 additions & 6 deletions nixos/modules/security/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -136,6 +136,27 @@ let
challenge to ensure the DNS entries required are available.
'';
};

ocspMustStaple = mkOption {
type = types.bool;
default = false;
description = ''
Turns on the OCSP Must-Staple TLS extension.
Make sure you know what you're doing! See:
<itemizedlist>
<listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem>
<listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem>
</itemizedlist>
'';
};

extraLegoRenewFlags = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Additional flags to pass to lego renew.
'';
};
};
};

@@ -174,7 +195,7 @@ in

renewInterval = mkOption {
type = types.str;
default = "weekly";
default = "daily";
description = ''
Systemd calendar expression when to check for renewal. See
<citerefentry><refentrytitle>systemd.time</refentrytitle>
@@ -288,8 +309,11 @@ in
++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ])
++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
runOpts = escapeShellArgs (globalOpts ++ [ "run" ]);
renewOpts = escapeShellArgs (globalOpts ++ [ "renew" "--days" (toString cfg.validMinDays) ]);
certOpts = optionals data.ocspMustStaple [ "--must-staple" ];
runOpts = escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts);
renewOpts = escapeShellArgs (globalOpts ++
[ "renew" "--days" (toString cfg.validMinDays) ] ++
certOpts ++ data.extraLegoRenewFlags);
acmeService = {
description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" "network-online.target" ];
@@ -400,7 +424,17 @@ in
systemd.tmpfiles.rules =
map (data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}") (filter (data: data.webroot != null) (attrValues cfg.certs));

systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
systemd.timers = let
# Allow systemd to pick a convenient time within the day
# to run the check.
# This allows the coalescing of multiple timer jobs.
# We divide by the number of certificates so that if you
# have many certificates, the renewals are distributed over
# the course of the day to avoid rate limits.
numCerts = length (attrNames cfg.certs);
_24hSecs = 60 * 60 * 24;
AccuracySec = "${toString (_24hSecs / numCerts)}s";
in flip mapAttrs' cfg.certs (cert: data: nameValuePair
("acme-${cert}")
({
description = "Renew ACME Certificate for ${cert}";
@@ -409,8 +443,9 @@ in
OnCalendar = cfg.renewInterval;
Unit = "acme-${cert}.service";
Persistent = "yes";
AccuracySec = "5m";
RandomizedDelaySec = "1h";
inherit AccuracySec;
# Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
RandomizedDelaySec = "24h";
};
})
);
8 changes: 4 additions & 4 deletions pkgs/development/haskell-modules/make-package-set.nix
View file
Original file line number Diff line number Diff line change
@@ -315,10 +315,10 @@ in package-set { inherit pkgs stdenv callPackage; } self // {

in self.mkDerivation genericBuilderArgs;

envFuncArgs = builtins.removeAttrs args [ "packages" ];
in (combinedPackageFor packages).env.overrideAttrs (old: envFuncArgs // {
nativeBuildInputs = old.nativeBuildInputs ++ envFuncArgs.nativeBuildInputs or [];
buildInputs = old.buildInputs ++ envFuncArgs.buildInputs or [];
mkDerivationArgs = builtins.removeAttrs args [ "packages" "withHoogle" ];
in ((combinedPackageFor packages).envFunc { inherit withHoogle; }).overrideAttrs (old: mkDerivationArgs // {
nativeBuildInputs = old.nativeBuildInputs ++ mkDerivationArgs.nativeBuildInputs or [];
buildInputs = old.buildInputs ++ mkDerivationArgs.buildInputs or [];
});

ghc = ghc // {