diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2020-06-19 20:27:46 +0100 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2020-09-02 19:22:43 +0100 |
commit | 982c5a1f0e7f282f856391304aa4da7bb36c45b8 (patch) | |
tree | 4cf0e93b6cd4e1ae2371c0d9184fca87ae8e43ca /pkgs/tools/security/minica | |
parent | 6ab387699a9f23201cf76091d0f7d4ff09fa510e (diff) | |
download | nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.gz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.bz2 nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.lz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.xz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.zst nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.zip |
nixos/acme: Restructure module
- Use an acme user and group, allow group override only - Use hashes to determine when certs actually need to regenerate - Avoid running lego more than necessary - Harden permissions - Support "systemctl clean" for cert regeneration - Support reuse of keys between some configuration changes - Permissions fix services solves for previously root owned certs - Add a note about multiple account creation and emails - Migrate extraDomains to a list - Deprecate user option - Use minica for self-signed certs - Rewrite all tests I thought of a few more cases where things may go wrong, and added tests to cover them. In particular, the web server reload services were depending on the target - which stays alive, meaning that the renewal timer wouldn't be triggering a reload and old certs would stay on the web servers. I encountered some problems ensuring that the reload took place without accidently triggering it as part of the test. The sync commands I added ended up being essential and I'm not sure why, it seems like either node.succeed ends too early or there's an oddity of the vm's filesystem I'm not aware of. - Fix duplicate systemd rules on reload services Since useACMEHost is not unique to every vhost, if one cert was reused many times it would create duplicate entries in ${server}-config-reload.service for wants, before and ConditionPathExists
Diffstat (limited to 'pkgs/tools/security/minica')
-rw-r--r-- | pkgs/tools/security/minica/default.nix | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/pkgs/tools/security/minica/default.nix b/pkgs/tools/security/minica/default.nix new file mode 100644 index 00000000000..20ae3878a71 --- /dev/null +++ b/pkgs/tools/security/minica/default.nix @@ -0,0 +1,34 @@ +{ lib, buildGoPackage, fetchFromGitHub }: + +buildGoPackage rec { + pname = "minica"; + version = "1.0.2"; + + goPackagePath = "github.com/jsha/minica"; + + src = fetchFromGitHub { + owner = "jsha"; + repo = "minica"; + rev = "v${version}"; + sha256 = "18518wp3dcjhf3mdkg5iwxqr3326n6jwcnqhyibphnb2a58ap7ny"; + }; + + buildFlagsArray = '' + -ldflags= + -X main.BuildVersion=${version} + ''; + + meta = with lib; { + description = "A simple tool for generating self signed certificates."; + longDescription = '' + Minica is a simple CA intended for use in situations where the CA + operator also operates each host where a certificate will be used. It + automatically generates both a key and a certificate when asked to + produce a certificate. + ''; + homepage = "https://github.com/jsha/minica/"; + license = licenses.mit; + maintainers = with maintainers; [ m1cr0man ]; + platforms = platforms.linux ++ platforms.darwin; + }; +} |