nixos/acme: Update docs, use assert more effectively

2024-11-01 07:01:54 +00:00 · 2020-09-04 20:28:46 +01:00 · 2020-09-04 20:28:46 +01:00 · f57824c915
commit f57824c915
parent 67a5d660cb
3 changed files with 28 additions and 4 deletions
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@ -394,6 +394,20 @@ php.override {

     </para>
   </listitem>
+   <listitem>
+    <para>
+     The ACME module has been overhauled for simplicity and maintainability.
+     Cert generation now implicitly uses the <literal>acme</literal>
+     user, and the <literal>security.acme.certs._name_.user</literal> option
+     has been removed. Instead, certificate access from other services is now
+     managed through group permissions. The module no longer runs lego
+     twice under certain conditions, and will correctly renew certificates if
+     their configuration is changed. Services which reload nginx and httpd after
+     certificate renewal are now properly configured too so you no longer have
+     to do this manually if you are using HTTPS enabled virtual hosts. A mechanism
+     for regenerating certs on demand has also been added and documented.
+    </para>
+   </listitem>
   <listitem>
     <para>
      Gollum received a major update to version 5.x and you may have to change
--- a/nixos/modules/security/acme.xml
+++ b/nixos/modules/security/acme.xml
@ -251,4 +251,16 @@ chmod 400 /var/lib/secrets/certs.secret
   journalctl -fu acme-example.com.service</literal> and watching its log output.
  </para>
 </section>
+ <section xml:id="module-security-acme-regenerate">
+  <title>Regenerating certificates</title>
+
+  <para>
+   Should you need to regenerate a particular certificate in a hurry, such
+   as when a vulnerability is found in Let's Encrypt, there is now a convenient
+   mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal>
+   will remove all certificate files for the given domain, allowing you to then
+   <literal>systemctl start acme-example.com.service</literal> to generate fresh
+   ones.
+  </para>
+ </section>
 </chapter>
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@ -218,8 +218,7 @@ in import ./make-test-python.nix ({ lib, ... }: {


      def check_connection(node, domain, retries=3):
-          if retries == 0:
-              assert False
+          assert retries >= 0

          result = node.succeed(
              "openssl s_client -brief -verify 2 -CAfile /tmp/ca.crt"
@ -233,8 +232,7 @@ in import ./make-test-python.nix ({ lib, ... }: {


      def check_connection_key_bits(node, domain, bits, retries=3):
-          if retries == 0:
-              assert False
+          assert retries >= 0

          result = node.succeed(
              "openssl s_client -CAfile /tmp/ca.crt"