mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-10-16 09:28:35 +03:00
982c5a1f0e
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests
I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.
I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.
- Fix duplicate systemd rules on reload services
Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
35 lines
968 B
Nix
35 lines
968 B
Nix
{ lib, buildGoPackage, fetchFromGitHub }:
|
|
|
|
buildGoPackage rec {
|
|
pname = "minica";
|
|
version = "1.0.2";
|
|
|
|
goPackagePath = "github.com/jsha/minica";
|
|
|
|
src = fetchFromGitHub {
|
|
owner = "jsha";
|
|
repo = "minica";
|
|
rev = "v${version}";
|
|
sha256 = "18518wp3dcjhf3mdkg5iwxqr3326n6jwcnqhyibphnb2a58ap7ny";
|
|
};
|
|
|
|
buildFlagsArray = ''
|
|
-ldflags=
|
|
-X main.BuildVersion=${version}
|
|
'';
|
|
|
|
meta = with lib; {
|
|
description = "A simple tool for generating self signed certificates.";
|
|
longDescription = ''
|
|
Minica is a simple CA intended for use in situations where the CA
|
|
operator also operates each host where a certificate will be used. It
|
|
automatically generates both a key and a certificate when asked to
|
|
produce a certificate.
|
|
'';
|
|
homepage = "https://github.com/jsha/minica/";
|
|
license = licenses.mit;
|
|
maintainers = with maintainers; [ m1cr0man ];
|
|
platforms = platforms.linux ++ platforms.darwin;
|
|
};
|
|
}
|