public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/acme: execute a single lego command

Browse Source 
Stop trying to execute `lego renew` if that is not necessary.

Fix #86184.
This commit is contained in:
datafoo 2020-06-18 16:02:47 +02:00
parent 9480bae337
commit cc37d7edd7
1 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
nixos/modules/security/acme.nix
View File

@ -302,6 +302,11 @@ in
lpath = "acme/${cert}"; lpath = "acme/${cert}";
apath = "/var/lib/${lpath}"; apath = "/var/lib/${lpath}";
spath = "/var/lib/acme/.lego/${cert}"; spath = "/var/lib/acme/.lego/${cert}";
keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
requestedDomains = pipe ([ data.domain ] ++ (attrNames data.extraDomains)) [
(domains: sort builtins.lessThan domains)
(domains: concatStringsSep "," domains)
];
fileMode = if data.allowKeysForGroup then "640" else "600"; fileMode = if data.allowKeysForGroup then "640" else "600";
globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ] globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
++ optionals (cfg.acceptTerms) [ "--accept-tos" ] ++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
@ -316,6 +321,7 @@ in
certOpts ++ data.extraLegoRenewFlags); certOpts ++ data.extraLegoRenewFlags);
acmeService = { acmeService = {
description = "Renew ACME Certificate for ${cert}"; description = "Renew ACME Certificate for ${cert}";
path = with pkgs; [ openssl ];
after = [ "network.target" "network-online.target" ]; after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
wantedBy = mkIf (!config.boot.isContainer) [ "multi-user.target" ]; wantedBy = mkIf (!config.boot.isContainer) [ "multi-user.target" ];
@ -332,11 +338,18 @@ in
ExecStart = pkgs.writeScript "acme-start" '' ExecStart = pkgs.writeScript "acme-start" ''
#!${pkgs.runtimeShell} -e #!${pkgs.runtimeShell} -e
test -L ${spath}/accounts -o -d ${spath}/accounts || ln -s ../accounts ${spath}/accounts test -L ${spath}/accounts -o -d ${spath}/accounts || ln -s ../accounts ${spath}/accounts
${pkgs.lego}/bin/lego ${renewOpts} || ${pkgs.lego}/bin/lego ${runOpts} LEGO_ARGS=(${runOpts})
if [ -e ${spath}/certificates/${keyName}.crt ]; then
REQUESTED_DOMAINS="${requestedDomains}"
EXISTING_DOMAINS="$(openssl x509 -in ${spath}/certificates/${keyName}.crt -noout -ext subjectAltName | tail -n1 | sed -e 's/ *DNS://g')"
if [ "''${REQUESTED_DOMAINS}" == "''${EXISTING_DOMAINS}" ]; then
LEGO_ARGS=(${renewOpts})
fi
fi
${pkgs.lego}/bin/lego ''${LEGO_ARGS[@]}
''; '';
ExecStartPost = ExecStartPost =
let let
keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
script = pkgs.writeScript "acme-post-start" '' script = pkgs.writeScript "acme-post-start" ''
#!${pkgs.runtimeShell} -e #!${pkgs.runtimeShell} -e
cd ${apath} cd ${apath}