New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security.acme: added reload and restart lists for sytemd targets #34388
Conversation
1a3c65f
to
e1abea1
Compare
nixos/modules/security/acme.nix
Outdated
reload = mkOption { | ||
type = types.listOf types.str; | ||
default = []; | ||
example = [ "postfix.service" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
postfix.service
is used in both examples. Which one is needed for postfix and can we find a different common example for the other-one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my main goal is postfix.service
but maybe there are other use-cases as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we could use dovecot.service
for instance
nixos/modules/security/acme.nix
Outdated
@@ -193,10 +225,11 @@ in | |||
servicesLists = mapAttrsToList certToServices cfg.certs; | |||
certToServices = cert: data: | |||
let | |||
domain = if data.domain != null then data.domain else cert; | |||
restartJobs = lib.unique data.systemd.restart; | |||
reloadJobs = lib.subtractLists restartJobs (lib.unique data.systemd.reload); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the case where a restart jobs is promoted to reload only? It seems like a configuration error.
Reversely, if one wants to change a job from reloading to restarting, how would you do that?
Using a { jobName = "restart" | "reload" }
data-structure would guarantee the uniqueness and allow that kind of override.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zimbatm i 'feel' that there are use-cases but can't think of one atm. so maybe it is over-engineered.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
many services as postfix.service
and dovecot.service
can load new certificates using reload
so one does not have to cut connections, reset state and such, which would be the case with a full reload.
but there could be a plugin for dovecot, a plugin like https://pigeonhole.dovecot.org/, which hypotetically would require postfix to restart. i made this up of course, but the code using lib.unique
and restart
over reload
is already there and simple so why not just use it.
i have to fix a issue with the overall design first and then i will reopen the PR |
sure no problem |
ATM i wonder why there is: cert.domain at all. what is the motivation to not just use the attrName as 'domain' key? if no such motivation is there i'd like to rewrite the service and force the attrName to be the domain and get rid of the |
The |
now that @fpletz explained why |
e1abea1
to
32b1f93
Compare
@qknight I pushed a simplified proposal to your branch that takes into account what we where saying previously. It still needs a bit of testing. Feel free to revert or change it however you like. |
@zimbatm happy to use your modified version. i have to find out what has to be done now, do i merge your stuff now and then sqash-merge it? |
yes or keep adding commits to the branch and I'll squash them during merge |
another thing i don't understand is i assume this value is closely coupled with the vhost abstraction in nginx you guys wrote, is that correct? i'd like to add a example value and a better description to it, any ideas what that could be? |
yeah, I didn't build it but I'm pretty sure it's tied to the nginx enableTLS feature. It should work with Apache or any other webserver that can map the .well-known folder to that path. I believe that ACME has other validation methods, in which case this folder would be pretty useless. |
b566713
to
32b1f93
Compare
@zimbatm if you like it, please merge it. i didn't test 'our' work in production yet, so merge with care. and thanks for your effort, very much appreciated! |
regarding default valuesat the moment this is the most important patch so that domain is always assigned to a resonable value (not null but a string) by default. this is an important patch, since i want to read the certificates directly and don't have to check if they are null and then "otherwise" use the attrName. regarding restart/reloadcreating the new this usage still does not exceed the quota of weekly certs of 4. we could basically drop this from the PR and maybe create a new abstraction: |
|
How about creating a new PR with just the default values change? The rest is less obvious to me and I don't have a setup to test it out right now; I think overall the idea is good, it just needs to be fleshed out a bit more. |
@zimbatm yes, this seems to be a good idea. let's skip the restart/reload feature completely for the time being. |
|
@GrahamcOfBorg test acme |
Failure on aarch64-linux (full log) Partial log (click to expand)
|
Success on x86_64-linux (full log) Partial log (click to expand)
|
@qknight looks good to me. It should be safe to be cherry-picked as well. Any idea on what to name the commit? |
something like |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This breaks the build of the manual:
options-db.xml:6594: parser error : Opening and ending tag mismatch: name line 6594 and option
(<option>security.acme.cert.<name>.group</option>) to read SSL private certifica
Fixed XML in #34683 |
Motivation for this change
config =
section which duplicates code and makes it not accessible from outside the acme.nix scope)Things done