The previous setup caused all renewal units to be triggered upon
ever so slight changes in config. In larger setups (100+ certificates)
adding a new certificate caused high system load and/or large memory
consumption issues. The memory issues are already a alleviated with
the locking mechanism. However, this then causes long delays upwards
of multiple minutes depending on individual runs and also caused
superfluous activations.
In this change we streamline the overall setup of units:
1. The unit that other services can depend upon is 'acme-{cert}.service'.
We call this the 'base unit'. As this one as `RemainAfterExit` set
the `acme-finished-{cert}` targets are not required any longer.
2. We now always generate initial self-signed certificates to simplify
the dependency structure. This deprecates the `preliminarySelfsigned`
option.
3. The `acme-order-renew-{cert}` service gets activated after the base
unit and services using certificates have started and performs all acme
interactions. When it finishes others services (like web servers) will
be notified through the `reloadServices` option or they can use
`wantedBy` and `after` dependencies if they implement their own reload
units.
The renewal timer also triggers this unit.
4. The timer unit is explicitly blocked from being started by s-t-c.
5. Permission management has been cleaned up a bit: there was an
inconsistency between having the .lego files set to 600 vs 640
on the exposed side. This is unified to 640 now.
6. Exempt the account target from being restarted by s-t-c. This will
happen automatically if something relevant to the account changes.
Allow `services.caddy.virtualHosts.<name>.logFormat` to be null, and in
that case, do not add a `log {}` block to the Caddy configuration. This
makes it possible to have multiple loggers declared in the global
configuration, and instruct Caddy to use a logger by name.
Signed-off-by: Gergely Nagy <me@gergo.csillger.hu>
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
Relax dependency with certs that are validated via DNS challenge since
we know the HTTP server is not required for that validation.
This allows marking the server's service as depending on the cert.
Otherwise, setting services.caddy.enableReload to false fails in a very bad fashion:
The reload command still gets executed, but fails:
```
Apr 26 21:23:01 n1-rk1 systemd[1]: Reloading Caddy...
Apr 26 21:23:01 n1-rk1 caddy[70793]: {"level":"info","ts":1714166581.733018,"msg":"using provided configuration","config_file":"/etc/caddy/caddy_config","config_adapter":"caddyfile"}
Apr 26 21:23:01 n1-rk1 caddy[70793]: {"level":"warn","ts":1714166581.7353032,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/caddy_config","line":3}
Apr 26 21:23:01 n1-rk1 caddy[70793]: Error: sending configuration to instance: performing request: Post "http://localhost:2019/load": dial tcp [::1]:2019: connect: connection refused
Apr 26 21:23:01 n1-rk1 systemd[1]: caddy.service: Control process exited, code=exited, status=1/FAILURE
Apr 26 21:23:01 n1-rk1 systemd[1]: Reload failed for Caddy.
```
… and the server is not restarted either, as a ExecReload= command is
specified.
Fix this, by only setting ExecReload if the reload exists.
The first empty string is still necessary to reset the old option.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
This solves an issue, where loading the nixos-unstable module in
nixos-stable using `disabledModules` and `imports` resulted in the
following Caddyfile:
```
<globalConfig>
<vhosts>
<extraConfig>
```
instead of
```
<globalConfig>
<extraConfig>
<vhosts>
```
This is important in cases where `cfg.extraConfig` contains so called
Caddyfile snippets.
See https://caddyserver.com/docs/caddyfile/concepts#structure
Co-authored-by: Lin Jian <me@linj.tech>
The nixos/caddy module is somewhat old by now
and has undergone quite some refactors.
This specific module option (originally named
`ca`) used to make a bit more sense when
Caddy did not have multiple ACME CAs as
fallback (LE & ZeroSSL) by configured by
default yet (ZeroSSL came with v2.3.0).
I also rephrased the description slightly,
to mention Caddy's automatic issuer fallback
and a note which this option maps to in the
Caddyfile, to provide a bit more context and
a more up-to-date recommendation.
Specifically that "fine-grained configuration"
section comes from a time when this module did
some custom tls/issuer config json merging
with the templated Caddyfile using `jq`.
The "The URL to the ACME CA's directory"
section is a word-for-word copy from the
official Caddy docs, which also include a link
to LE's docs to the referenced staging
endpoint. So I added that as well.
The nixos module uses `caddy fmt` to *format* the generated Caddyfile.
v2.6.3 slightly altered `caddy fmt`'s behavior.
Excerpt from https://github.com/caddyserver/caddy/releases/tag/v2.6.3
> cmd: caddy fmt return code is 1 if not formatted
> cmd: fmt exit successfully after overwriting config file
Which is why the internal `Caddyfile-formatted` now uses `cp` and `caddy fmt --overwrite` instead
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
This patch follows an upstream commit[1].
Before this patch, if acme module is used, caddy will still use an old
cert even a new one is available. The cause is that without --force
flag, caddy will not reload an unchanged config.
Refer to that commit[1] message for more information.
[1]: 979e498d6d
Before this patch, the caddy process has acme in its supplementary
group because of the SupplementaryGroups in its service config, which
may give it more permission than needed, is inconsistent with the
documentation of services.caddy.virtualHosts.<name>.useACMEHost and is
redundant since we have mkCertOwnershipAssertion in assertions.
This patch fixes these problems by defaulting the group of needed
certs to caddy, which is what other web servers like nginx do and
deleting SupplementaryGroups config.
