Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: b615c2e9929e
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 6a55fda61e89
Choose a head ref
  • 2 commits
  • 1 file changed
  • 1 contributor

Commits on Jun 9, 2017

  1. nixos/acme: support "full.pem" (for lighttpd) 

    * Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates

Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
    @bjornfor
    bjornfor committed Jun 9, 2017
    Copy the full SHA
    7a0e958 View commit details

  2. nixos/acme: improve documentation 

    * Use literalExample for better readability
* Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
    @bjornfor
    bjornfor committed Jun 9, 2017
    Copy the full SHA
    6a55fda View commit details
Showing with 38 additions and 26 deletions.
  1. +38 −26 nixos/modules/security/acme.nix
64 changes: 38 additions & 26 deletions nixos/modules/security/acme.nix
View file
Original file line number Diff line number Diff line change
@@ -13,7 +13,7 @@ let
description = ''
Where the webroot of the HTTP vhost is located.
<filename>.well-known/acme-challenge/</filename> directory
will be created automatically if it doesn't exist.
will be created below the webroot if it doesn't exist.
<literal>http://example.org/.well-known/acme-challenge/</literal> must also
be available (notice unencrypted HTTP).
'';
@@ -46,7 +46,10 @@ let
allowKeysForGroup = mkOption {
type = types.bool;
default = false;
description = "Give read permissions to the specified group to read SSL private certificates.";
description = ''
Give read permissions to the specified group
(<option>security.acme.group</option>) to read SSL private certificates.
'';
};

postRun = mkOption {
@@ -65,21 +68,24 @@ let
"cert.der" "cert.pem" "chain.pem" "external.sh"
"fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
]);
default = [ "fullchain.pem" "key.pem" "account_key.json" ];
default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
description = ''
Plugins to enable. With default settings simp_le will
store public certificate bundle in <filename>fullchain.pem</filename>
and private key in <filename>key.pem</filename> in its state directory.
store public certificate bundle in <filename>fullchain.pem</filename>,
private key in <filename>key.pem</filename> and those two previous
files combined in <filename>full.pem</filename> in its state directory.
'';
};

extraDomains = mkOption {
type = types.attrsOf (types.nullOr types.str);
default = {};
example = {
"example.org" = "/srv/http/nginx";
"mydomain.org" = null;
};
example = literalExample ''
{
"example.org" = "/srv/http/nginx";
"mydomain.org" = null;
}
'';
description = ''
Extra domain names for which certificates are to be issued, with their
own server roots if needed.
@@ -139,17 +145,19 @@ in
description = ''
Attribute set of certificates to get signed and renewed.
'';
example = {
"example.com" = {
webroot = "/var/www/challenges/";
email = "foo@example.com";
extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
};
"bar.example.com" = {
webroot = "/var/www/challenges/";
email = "bar@example.com";
};
};
example = literalExample ''
{
"example.com" = {
webroot = "/var/www/challenges/";
email = "foo@example.com";
extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
};
"bar.example.com" = {
webroot = "/var/www/challenges/";
email = "bar@example.com";
};
}
'';
};
};
};
@@ -238,6 +246,9 @@ in
mv $workdir/server.key ${cpath}/key.pem
mv $workdir/server.crt ${cpath}/fullchain.pem
# Create full.pem for e.g. lighttpd (same format as "simp_le ... -f full.pem" creates)
cat "${cpath}/key.pem" "${cpath}/fullchain.pem" > "${cpath}/full.pem"
# Clean up working directory
rm $workdir/server.csr
rm $workdir/server.pass.key
@@ -247,6 +258,8 @@ in
chown '${data.user}:${data.group}' '${cpath}/key.pem'
chmod ${rights} '${cpath}/fullchain.pem'
chown '${data.user}:${data.group}' '${cpath}/fullchain.pem'
chmod ${rights} '${cpath}/full.pem'
chown '${data.user}:${data.group}' '${cpath}/full.pem'
'';
serviceConfig = {
Type = "oneshot";
@@ -275,15 +288,14 @@ in
)
);
servicesAttr = listToAttrs services;
nginxAttr = {
nginx = {
after = [ "acme-selfsigned-certificates.target" ];
wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
};
injectServiceDep = {
after = [ "acme-selfsigned-certificates.target" ];
wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
};
in
servicesAttr //
(if config.services.nginx.enable then nginxAttr else {});
(if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) //
(if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {});

systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
("acme-${cert}")