New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/acme: renew after rebuild and on boot #81371
Conversation
Looks good to me! Doesn't need to be addressed in this PR, but a related issue is that the certificates aren't force-renewed after relevant certificate settings (like the |
I've been running
On our side, I guess one thing that comes to mind is to hash all flags together and concoct some shell script that will force renewal when hash changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense per #81069 (comment) and lego renew
behavior.
Is this intended for the PR issue or the one I pointed out? If the latter, then I'm not sure this works, since it'll just see that the cert is new enough and doesn't need renewing. I had to manually set |
Right, sorry. Doing that won't renew the cert only if options changed, for reasons you've described, and can only be useful if no certs were issued at all (like the issue that's addressed in this PR). |
@mweinelt @yegortimoshenko @worldofpeace this seems to break nixos-containers: unfortunately a I'd suggest that we only add this dependency if e.g. Any further opinions? :) [1] The host-side interface for a nixos-container is configured after it is started up ( nixpkgs/nixos/modules/virtualisation/containers.nix Lines 178 to 229 in 90a3908
|
SGTM. |
On boot, a container doesn't have an uplink and would run into a timeout while waiting for cert renewal[1]. [1] NixOS#81371 (comment)
On boot, a container doesn't have an uplink and would run into a timeout while waiting for cert renewal[1]. [1] #81371 (comment) (cherry picked from commit 1a5289f)
On boot, a container doesn't have an uplink and would run into a timeout while waiting for cert renewal[1]. [1] NixOS#81371 (comment) (cherry picked from commit 1a5289f)
On boot, a container doesn't have an uplink and would run into a timeout while waiting for cert renewal[1]. [1] NixOS#81371 (comment) (cherry picked from commit 1a5289f)
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/issues-using-nixos-container-to-set-up-an-etcd-cluster/8438/2 |
Fixes #81069
Motivation for this change
Changes to
security.acme.certs.<fqdn>
(like chmod, chown, extraDomains) should be realized after a rebuild, therefore add the acme service tomulti-user.target
as proposed by @infinisil in #81069.This has the added benefit that the certificate is also checked for validity on boot.
Since the renewal check is local this will not be affected by any rate limits on the remote ACME service.
This is completely untested, I will get to that later tonight.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)@aanderse @emilazy @flokli @infinisil @arianvp @m1cr0man