Split tests up based on certain use cases:
- http01-builtin: Tests most functionality of the core module, such
as the systemd and hashing components, whilst utilising lego's built
in http01 resolution mechanis.
- dns01: Tests only that DNS01 renewal works as expected.
- nginx: Tests nginx compatability
- httpd: Tests httpd compatability
- caddy: Tests caddy compatability
Over time, we added a lot of setup services to the ACME module, namely:
- acme-selfsigned-ca.service: Creates the selfsigned CA certificates
used to generate selfsigned certs for each configured cert.
- acme-fixperms.service: Ensures permissions correctness on certs after
system configuration changes.
- acme-lockfiles.service: Create lockfiles used to implement
maxConcurrentRenewals.
These numerous setup services complicated the dependency chain for any
cert renewal, and also made it difficult to track responsibility for
specific setup steps, for example, creating /var/lib/acme or setting
permissions of shared folders.
This change proposes a new acme-setup.service which encapsulates the
functionality of the previous 3 services into one. The service is still
defined in 3 separate chunks (using lib.mkMerge) which allows us to
keep a logical separation between each step and preserve some
optionality in the features.
The result is a generally simplified definition of systemd unit
dependencies and an obvious entrypoint for future setup extensions.
Without this fix, if `config.services.vault.package` is set to e.g.
`vault-bin` (instead of the `vault` default), then `ExecStart` gets
improperly generated without the `agent` positional argument because
`vault-bin` did not match `vault`, and the command for the `consul`
flavor gets generated instead.
To fix this, we can look at the `flavor` argument instead of the package
name.
Enabling HSTS "just by default" when a module user requests HTTPS support to be enabled is prone to creating kind of DoS scenarios. This commit at least informs module users about this.
This lets us remove an assertion, because `pathWith` can require that a
file not be in the store.
Note that the old assertion didn't quite do what we wanted: it prevented
you from using top level store paths (such as
`/nix/store/gg8578vvbcf1wpqvk85bigi5s4pvylkk-test-certificates`), but was
ok with sub-files (such as
`/nix/store/gg8578vvbcf1wpqvk85bigi5s4pvylkk-test-certificates/intermediate-password-file`).
Now that we're stricter, we need some way to populate
`intermediatePasswordFile` in our test without making the type unhappy.
I opted to solve that by creating a file in `/etc`.
By enabling this module, the ftdi system group is created and udev
rules from the libftdi package are enabled. Read-/Write access is
granted to the members of the ftdi group and to seat sessions.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
`uwsgi_pass` uses the uwsgi protocol instead of the HTTP protocol
(that's what `proxy_pass` is for). Also, the source IP is already
derived from the REMOTE_ADDR param that's specified by the uwsgi
defaults from nginx, similarily to how it's done for fcgi.
Hence, removing that since it seems not necessary (and perhaps even
wrong).
`mlkem768x25519-sha256` and the vendor-neutral `sntrup761x25519-sha512`
name are new in OpenSSH 9.9 <https://www.openssh.com/txt/release-9.9>
Co-authored-by: Mynacol <Mynacol@users.noreply.github.com>
