diff options
| author | Lucas Savva <lucas@m1cr0man.com> | 2020-06-19 20:27:46 +0100 |
|---|---|---|
| committer | Lucas Savva <lucas@m1cr0man.com> | 2020-09-02 19:22:43 +0100 |
| commit | 982c5a1f0e7f282f856391304aa4da7bb36c45b8 (patch) | |
| tree | 4cf0e93b6cd4e1ae2371c0d9184fca87ae8e43ca /pkgs/tools/security/minica | |
| parent | 6ab387699a9f23201cf76091d0f7d4ff09fa510e (diff) | |
| download | nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.gz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.bz2 nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.lz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.xz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.zst nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.zip | |
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests
I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.
I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.
- Fix duplicate systemd rules on reload services
Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
Diffstat (limited to 'pkgs/tools/security/minica')
| -rw-r--r-- | pkgs/tools/security/minica/default.nix | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/pkgs/tools/security/minica/default.nix b/pkgs/tools/security/minica/default.nix new file mode 100644 index 00000000000..20ae3878a71 --- /dev/null +++ b/pkgs/tools/security/minica/default.nix @@ -0,0 +1,34 @@ +{ lib, buildGoPackage, fetchFromGitHub }: + +buildGoPackage rec { + pname = "minica"; + version = "1.0.2"; + + goPackagePath = "github.com/jsha/minica"; + + src = fetchFromGitHub { + owner = "jsha"; + repo = "minica"; + rev = "v${version}"; + sha256 = "18518wp3dcjhf3mdkg5iwxqr3326n6jwcnqhyibphnb2a58ap7ny"; + }; + + buildFlagsArray = '' + -ldflags= + -X main.BuildVersion=${version} + ''; + + meta = with lib; { + description = "A simple tool for generating self signed certificates."; + longDescription = '' + Minica is a simple CA intended for use in situations where the CA + operator also operates each host where a certificate will be used. It + automatically generates both a key and a certificate when asked to + produce a certificate. + ''; + homepage = "https://github.com/jsha/minica/"; + license = licenses.mit; + maintainers = with maintainers; [ m1cr0man ]; + platforms = platforms.linux ++ platforms.darwin; + }; +} |