diff options
author | Arian van Putten <arian.vanputten@gmail.com> | 2024-06-04 20:07:14 +0200 |
---|---|---|
committer | Arian van Putten <arian.vanputten@gmail.com> | 2024-06-04 20:23:30 +0200 |
commit | f8439331dc74c7f4d1603c510352a07b2771b273 (patch) | |
tree | a206b2f22fee112dd1353f9ca24a1c1a63d39171 /nixos/doc/manual/release-notes/rl-2405.section.md | |
parent | d1f07e63820121bde6b939be7cfafbef2ea9939d (diff) |
doc/release-notes: Add note about backwards compatibility in ACME module
Co-authored-by: Stéphan Kochen <git@stephank.nl>
Diffstat (limited to 'nixos/doc/manual/release-notes/rl-2405.section.md')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2405.section.md | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 072d4d7f779a8..165e3e13a78ef 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -429,6 +429,16 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi - `screen`'s module has been cleaned, and will now require you to set `programs.screen.enable` in order to populate `screenrc` and add the program to the environment. +- `security.acme.defaults.server` now has a default value instead of `null`. + This effectively uses the same server, the Let's Encrypt production server, + but makes the default explicit, instead of relying on the Lego default. + + A side effect of this is that the directory in which account data is stored + changes and the ACME module will request a new account and new certificates + for all domains. This may cause issues if you pin an `acccounturl` in a CAA + DNS record. To avoid this, you + may set `security.acme.defaults.server = null` to keep the old hashes. + - `security.pam.sshAgentAuth.enable` now requires `services.openssh.authorizedKeysFiles` to be non-empty, which is the case when `services.openssh.enable` is true. Previously, `pam_ssh_agent_auth` silently failed to work. |