Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/acme: Allow for time window between cert issue and activation #31833

Merged
merged 4 commits into from Apr 24, 2018
Merged

nixos/acme: Allow for time window between cert issue and activation #31833

merged 4 commits into from Apr 24, 2018

Conversation

gkleen
Copy link
Contributor

@gkleen gkleen commented Nov 19, 2017
edited by grahamc

This PR introduces two new configuration options for security.acme.certs.* allowing for a configurable delay between issuance and activation of a new certificate and a shell script to execute at the start of the delay.

Motivation for this change

Primarily to support automatic DANE I needed a time window between getting a new certificate issued and deploying it.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@gkleen
Copy link
Contributor Author

gkleen commented Nov 19, 2017

@abbradar @fpletz @globin, care to comment?

@gkleen
Copy link
Contributor Author

gkleen commented Dec 2, 2017

bump ?

@gkleen
Copy link
Contributor Author

gkleen commented Jan 14, 2018

bump, again

@matthewbauer
Copy link
Member

@GrahamcOfBorg test acme

@GrahamcOfBorg
Copy link

No attempt on aarch64-linux (full log)

The following builds were skipped because they don't evaluate on aarch64-linux: tests.acme

Partial log (click to expand)

while evaluating 'reverseList' at �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/lists.nix�[0m:281:17, called from �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:64:38:
while evaluating 'filterModules' at �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:93:31, called from �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:64:51:
while evaluating 'closeModules' at �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:101:27, called from �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:62:16:
while evaluating anonymous function at �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/lists.nix�[0m:96:29, called from undefined position:
while evaluating anonymous function at �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:103:50, called from �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/lists.nix�[0m:96:32:
while evaluating 'unifyModuleSyntax' at �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:118:34, called from �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:109:11:
while evaluating 'applyIfFunction' at �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:144:29, called from �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:109:39:
while evaluating 'isFunction' at �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/trivial.nix�[0m:161:16, called from �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/lib/modules.nix�[0m:144:68:
attribute 'cpath' at �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/nixos/modules/security/acme.nix�[0m:215:17 already defined at �[1m/var/lib/gc-of-borg/nix-test-rs-12/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-12/nixos/modules/security/acme.nix�[0m:213:17

@GrahamcOfBorg
Copy link

No attempt on x86_64-linux (full log)

The following builds were skipped because they don't evaluate on x86_64-linux: tests.acme

Partial log (click to expand)

while evaluating 'reverseList' at �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/lists.nix�[0m:281:17, called from �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:64:38:
while evaluating 'filterModules' at �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:93:31, called from �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:64:51:
while evaluating 'closeModules' at �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:101:27, called from �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:62:16:
while evaluating anonymous function at �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/lists.nix�[0m:96:29, called from undefined position:
while evaluating anonymous function at �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:103:50, called from �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/lists.nix�[0m:96:32:
while evaluating 'unifyModuleSyntax' at �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:118:34, called from �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:109:11:
while evaluating 'applyIfFunction' at �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:144:29, called from �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:109:39:
while evaluating 'isFunction' at �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/trivial.nix�[0m:161:16, called from �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/lib/modules.nix�[0m:144:68:
attribute 'cpath' at �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/nixos/modules/security/acme.nix�[0m:215:17 already defined at �[1m/home/ofborg/ofborg1/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/builder-7c6f434c1/nixos/modules/security/acme.nix�[0m:213:17

matthewbauer
matthewbauer requested changes Apr 21, 2018
View reviewed changes
Copy link
Member

@matthewbauer matthewbauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

eval issues see @GrahamcOfBorg output

@gkleen
Copy link
Contributor Author

gkleen commented Apr 21, 2018

@matthewbauer, thanks for the info—I´ll look into it.

@gkleen
Copy link
Contributor Author

gkleen commented Apr 21, 2018
edited

Let's see if this works for me, too:

@GrahamcOfBorg test acme

Apparently not.

@gkleen
Copy link
Contributor Author

gkleen commented Apr 23, 2018

@matthewbauer I fixed those eval issues.

@matthewbauer
Copy link
Member

@GrahamcOfBorg test acme

@GrahamcOfBorg
Copy link

No attempt on aarch64-linux (full log)

The following builds were skipped because they don't evaluate on aarch64-linux: tests.acme

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowUnsupportedSystem = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowUnsupportedSystem = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: tests.acme

Partial log (click to expand)

letsencrypt: running command: sync
letsencrypt: exit status 0
test script finished in 378.08s
cleaning up
killing webserver (pid 625)
killing client (pid 636)
killing letsencrypt (pid 593)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/fhby5y2axm03wxwd93mmynvly6jxrkmq-vm-test-run-acme

@gkleen
Copy link
Contributor Author

gkleen commented Apr 24, 2018

@matthewbauer, Pretty sure failure on aarch64 is unrelated. Ready to merge?

@matthewbauer matthewbauer merged commit 1b0a7bf into NixOS:master Apr 24, 2018
@matthewbauer
Copy link
Member

Okay looks good! Make sure you are following Hydra jobs status though. Occasionally new failures will come up:

https://hydra.nixos.org/jobset/nixos/trunk-combined

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewbauer matthewbauer matthewbauer requested changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@gkleen @matthewbauer @GrahamcOfBorg @arianvp @grahamc