Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 57fafc08f95e
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 883217dc3f81
Choose a head ref
  • 3 commits
  • 1 file changed
  • 2 contributors

Commits on Mar 1, 2020

  1. nixos/acme: renew after rebuild and on boot 

    Fixes #81069

(cherry picked from commit 5ff9441)
    @mweinelt
    mweinelt committed Mar 1, 2020
    Copy the full SHA
    bbd9e39 View commit details

  2. nixos/acme: apply chmod and ownership unconditionally 

    Also separate directory and file permissions so the certificate files
don't end up with the executable bit.

Fixes #81335

(cherry picked from commit 3575555)
    @mweinelt
    mweinelt committed Mar 1, 2020
    Copy the full SHA
    a79920d View commit details

Commits on Mar 7, 2020

  1. Merge pull request #81435 from mweinelt/pr/20.03/acme 

    [20.03] nixos/acme: backport #81369 and #81371
    @infinisil
    infinisil authored Mar 7, 2020
    Copy the full SHA
    883217d View commit details
Showing with 7 additions and 5 deletions.
  1. +7 −5 nixos/modules/security/acme.nix
12 changes: 7 additions & 5 deletions nixos/modules/security/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -281,7 +281,7 @@ in
lpath = "acme/${cert}";
apath = "/var/lib/${lpath}";
spath = "/var/lib/acme/.lego";
rights = if data.allowKeysForGroup then "750" else "700";
fileMode = if data.allowKeysForGroup then "640" else "600";
globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
@@ -294,6 +294,7 @@ in
description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
# With RemainAfterExit the service is considered active even
@@ -306,7 +307,7 @@ in
Group = data.group;
PrivateTmp = true;
StateDirectory = "acme/.lego ${lpath}";
StateDirectoryMode = rights;
StateDirectoryMode = if data.allowKeysForGroup then "750" else "700";
WorkingDirectory = spath;
# Only try loading the credentialsFile if the dns challenge is enabled
EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null;
@@ -329,10 +330,11 @@ in
cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
ln -sf fullchain.pem cert.pem
cat key.pem fullchain.pem > full.pem
chmod ${rights} *.pem
chown '${data.user}:${data.group}' *.pem
fi
chmod ${fileMode} *.pem
chown '${data.user}:${data.group}' *.pem
${data.postRun}
'';
in
@@ -374,7 +376,7 @@ in
# Give key acme permissions
chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem
chmod ${rights} "${apath}/"{key,fullchain,full}.pem
chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem
'';
serviceConfig = {
Type = "oneshot";