The original example is not a good example, `pkgs.cacert` does not need to appear in `security.pki.certificateFiles`, instead, `certificateFiles` will eventually override the input of pkgs.cacert to build the final `caBundle`. Replacing the example with DN42 will both remind users that we are now packaging DN42's root certificates and eliminate the confusion in the previous example.
Fuse is stil enabled by default so the default behaviour of NixOS
doesn't change. However, now it's possible to actively exclude fuse when
you don't need it.
Makes the audit module responsible for setting up the audit subsystem of
the kernel. The auditd module is now only responsible for setting up the
daemon.
Enable the audit subsystem early via kernelParams.
Increase the default audit backlog limit so that it works out of the box
for a normal system.
Remove a superfluous and pointless test case.
The previous setup caused all renewal units to be triggered upon
ever so slight changes in config. In larger setups (100+ certificates)
adding a new certificate caused high system load and/or large memory
consumption issues. The memory issues are already a alleviated with
the locking mechanism. However, this then causes long delays upwards
of multiple minutes depending on individual runs and also caused
superfluous activations.
In this change we streamline the overall setup of units:
1. The unit that other services can depend upon is 'acme-{cert}.service'.
We call this the 'base unit'. As this one as `RemainAfterExit` set
the `acme-finished-{cert}` targets are not required any longer.
2. We now always generate initial self-signed certificates to simplify
the dependency structure. This deprecates the `preliminarySelfsigned`
option.
3. The `acme-order-renew-{cert}` service gets activated after the base
unit and services using certificates have started and performs all acme
interactions. When it finishes others services (like web servers) will
be notified through the `reloadServices` option or they can use
`wantedBy` and `after` dependencies if they implement their own reload
units.
The renewal timer also triggers this unit.
4. The timer unit is explicitly blocked from being started by s-t-c.
5. Permission management has been cleaned up a bit: there was an
inconsistency between having the .lego files set to 600 vs 640
on the exposed side. This is unified to 640 now.
6. Exempt the account target from being restarted by s-t-c. This will
happen automatically if something relevant to the account changes.
Fuse is stil enabled by default so the default behaviour of NixOS
doesn't change. However, now it's possible to actively exclude fuse when
you don't need it.
This ensures the wrapper setup service has permissions
to create suid/sgid files, even if `DefaultRestrictSUIDSGID`
is set in system.conf. `DefaultRestrictSUIDSGID` is
a new feature coming in systemd 258 [1].
[1] https://github.com/systemd/systemd/pull/38126
Since there are now variants of tpm2-pkcs11 with and without ABRMD
support (for the kernel resource manager), ensure we pick the correct
default.
Fixes an accidental backwards incompatibility with the module.
