nixos/acme: update release notes and documentation

2025-08-08 15:31:58 +02:00 · 2025-08-08 15:31:58 +02:00 · 2c111ce343
commit 2c111ce343
parent 98ecc9035d
3 changed files with 26 additions and 0 deletions
--- a/nixos/doc/manual/redirects.json
+++ b/nixos/doc/manual/redirects.json
@ -1468,6 +1468,9 @@
  "module-security-acme-fix-jws": [
    "index.html#module-security-acme-fix-jws"
  ],
+  "module-security-acme-reload-dependencies": [
+    "index.html#module-security-acme-reload-dependencies"
+  ],
  "module-programs-zsh-ohmyzsh": [
    "index.html#module-programs-zsh-ohmyzsh"
  ],
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@ -165,6 +165,21 @@

 - `services.gitea` supports sending notifications with sendmail again. To do this, activate the parameter `services.gitea.mailerUseSendmail` and configure SMTP server.

+- Revamp of the ACME certificate acquisication and renewal process to help scale systems with lots (100+) of certificates.
+
+  Units and targets have been reshaped to better support more specific dependency propagation and avoid
+  superfluously triggering unchanged units:
+
+  If a service requires a syntactically valid certificate to start it should now depend on the `acme-{certname}.service` unit.
+
+  We now always generate initial self-signed certificates as this drastically simplifies the dependency structure. As a result, the option `security.acme.preliminarySelfsigned` has been removed.
+
+  Instead of the previous `acme-finished-{certname}.target`s there are now `acme-order-renew-{certname}.service`s that will be activated
+  in a delayed fashion to ensure that bootstrapping with servers like nginx that take part in the acquisition/renewal process works
+  smoothly. Dependencies on `acme-finished` units should move to `acme-order-renew`.
+
+  Note that system activation will complete before all certificates may have been renewed or acquired.
+
 - `libvirt` now supports using `nftables` backend.

 - `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively.
--- a/nixos/modules/security/acme/default.md
+++ b/nixos/modules/security/acme/default.md
@ -376,3 +376,11 @@ systemd-tmpfiles --create
 # Note: Do this for all certs that share the same account email address
 systemctl start acme-example.com.service
 ```
+
+## Ensuring dependencies for services that need to be reloaded when a certificate challenges {#module-security-acme-reload-dependencies}
+
+Services that depend on ACME certificates and need to be reloaded can use one of two approaches to reload upon successfull certificate acquisition or renewal:
+
+1. **Using the `security.acme.certs.<name>.reloadServices` option**: This will cause `systemctl try-reload-or-restart` to be run for the listed services.
+
+2. **Using a separate reload unit**: if you need perform more complex actions you can implement a separate reload unit but need to ensure that it lists the `acme-renew-<name>.service` unit both as `wantedBy` AND `after`. See the nginx module implementation with its `nginx-config-reload` service.