diff options
| -rw-r--r-- | hosts/ahmed/local-dns/certificates.nix | 25 | ||||
| -rw-r--r-- | hosts/ahmed/nginx/default.nix | 1 |
2 files changed, 26 insertions, 0 deletions
diff --git a/hosts/ahmed/local-dns/certificates.nix b/hosts/ahmed/local-dns/certificates.nix index 25784c1..4d74224 100644 --- a/hosts/ahmed/local-dns/certificates.nix +++ b/hosts/ahmed/local-dns/certificates.nix @@ -24,6 +24,31 @@ dnsPropagationCheck = true; domain = "*.${config.linus.local-dns.domain}"; + # To avoid the following cyclical ordering, we want this certificate to + # be under a different account, as defined by the account hash (which + # includes email). + # + # 1. `nginx.service` is ordered before `acme-rumpenettet.linus.onl.service` + # because NGINX hard crashes when certificates are missing. + # 2. `acme-rumpenettet.linus.onl.service` ordered before + # `acme-account-….target` because it is part of the account and not the + # chosen group leader. + # 3. `acme-account-….target` is ordered after + # `acme-git.linus.onl.service` because it is the group leader. + # 4. `nginx.service` is ordered before `acme-*.service` because it has to + # be online for the challenge to work. + # + # So the issue ony arises because we have a DNS-01 certificate and a + # HTTP-01 certificate linked (ordering whise) by the account target. And + # those different types of certificates are ordered before/after NGINX + # respectively. + # + # We break the cycle by making the DNS certificate part of a different + # account. In the future, a more elegant solution might be to use the + # same selfsigned trick that NGINX already uses for certificates with + # HTTP-01 validation. + email = "linusvejlo+${config.networking.hostName}[email protected]"; + group = config.services.nginx.group; reloadServices = ["nginx"]; }; diff --git a/hosts/ahmed/nginx/default.nix b/hosts/ahmed/nginx/default.nix index 55e6925..ce86e81 100644 --- a/hosts/ahmed/nginx/default.nix +++ b/hosts/ahmed/nginx/default.nix @@ -10,6 +10,7 @@ # Configure ACME. This is used by various HTTP services through the NGINX virtual hosts. security.acme = { acceptTerms = true; + # NOTE: The certificate in `local-dns/certficates.nix` uses a different email! defaults.email = "linusvejlo+${config.networking.hostName}[email protected]"; }; |