-
-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/acme: Various fixes #191861
nixos/acme: Various fixes #191861
Conversation
Fixes NixOS#191794 Lego threw a permission denied error binding to port 80. AmbientCapabilities with CAP_NET_BIND_SERVICE was required. Also added a test for this.
Fixes NixOS#190493 Check if an actual key file exists. This does not completely cover the work accountHash does to ensure that a new account is registered when account related options are changed.
Lego has a built-in mechanism for sleeping for a random amount of time before renewing a certificate. In our environment this is not only unnecessary (as our systemd timer takes care of it) but also unwanted since it slows down the execution of the systemd service encompassing it, thus also slowing down the start up of any services its depending on. Also added FixedRandomDelay to the timer for more predictability.
Implemented the changes discussed in review comments. I am marking this as ready for review now since I don't know what the best course of action is to resolve #180980 for now, and will fix it at a later date. |
@ofborg test acme |
# Avoid a random 0-8 minute sleep when testing renewals. | ||
# We are not using LE servers in testing so this is not | ||
# going to impact their load. | ||
# See https://github.com/go-acme/lego/issues/1656 | ||
extraLegoRenewFlags = ["-no-random-sleep"]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Considering this is removed in the subsequent commit, would it make sense to just not add it in this commit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, I'm normally pretty adverse to editing commits because it alerts all the related issues again when you force push. Also I think these commits show a good evolution of the feature?
re: "This does not completely cover the work accountHash does to ensure that a new account is registered when account related options are changed." What is this referencing, the new mechanism? |
So accountHash works to ensure that we are putting accounts for particular configurations in their own folder. The check for an existing cert file is solving a different issue, that's what I'm implying. Does that make sense? |
Yeah, well enough. :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm confused as to why the port 80 issue wasn't caught earlier, but I won't make this wait on an answer for that. Thanks as always, @m1cr0man!
We didn't actually have an automated test for that configuration 😅 I added one in this PR though. Thanks for merging! |
Description of changes
Closes #191794 - Adds an AmbientCapabilities line to permit binding on port 80
Closes #190493 - Adds a check for an actual account key file rather than any file/folder in accounts
WIP #180980 - Will fix the web server config for nginx.No response will fix in another PR.CC @NixOS/acme
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)nixos/doc/manual/md-to-db.sh
to update generated release notes