New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/acme: Allow for time window between cert issue and activation #31833
Conversation
bump ? |
bump, again |
@GrahamcOfBorg test acme |
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: tests.acme Partial log (click to expand)
|
No attempt on x86_64-linux (full log) The following builds were skipped because they don't evaluate on x86_64-linux: tests.acme Partial log (click to expand)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
eval issues see @GrahamcOfBorg output
@matthewbauer, thanks for the info—I´ll look into it. |
Let's see if this works for me, too: @GrahamcOfBorg test acme Apparently not. |
@matthewbauer I fixed those eval issues. |
@GrahamcOfBorg test acme |
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: tests.acme Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: tests.acme Partial log (click to expand)
|
@matthewbauer, Pretty sure failure on aarch64 is unrelated. Ready to merge? |
Okay looks good! Make sure you are following Hydra jobs status though. Occasionally new failures will come up: |
This PR introduces two new configuration options for
security.acme.certs.*
allowing for a configurable delay between issuance and activation of a new certificate and a shell script to execute at the start of the delay.Motivation for this change
Primarily to support automatic DANE I needed a time window between getting a new certificate issued and deploying it.
Things done
build-use-sandbox
innix.conf
on non-NixOS)Tested compilation of all pkgs that depend on this change usingnix-shell -p nox --run "nox-review wip"
Tested execution of all binary files (usually in./result/bin/
)