diff options
author | Jan Tojnar <jtojnar@gmail.com> | 2018-01-29 01:38:45 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-01-29 01:38:45 +0100 |
commit | 0f21306ca3af2bc94a452ac8c414cdbe36703be2 (patch) | |
tree | 55f82a7bc50b4f281812089523b88124a3e7524b /nixos/modules/services/web-servers | |
parent | 47d0a11a60c18a396f5fec8d36f9a88ca5dd9198 (diff) | |
parent | 41d252d7a4be12db7cec5a47468cee1024525eca (diff) | |
download | nixlib-0f21306ca3af2bc94a452ac8c414cdbe36703be2.tar nixlib-0f21306ca3af2bc94a452ac8c414cdbe36703be2.tar.gz nixlib-0f21306ca3af2bc94a452ac8c414cdbe36703be2.tar.bz2 nixlib-0f21306ca3af2bc94a452ac8c414cdbe36703be2.tar.lz nixlib-0f21306ca3af2bc94a452ac8c414cdbe36703be2.tar.xz nixlib-0f21306ca3af2bc94a452ac8c414cdbe36703be2.tar.zst nixlib-0f21306ca3af2bc94a452ac8c414cdbe36703be2.zip |
Merge pull request #33900 from jtojnar/nginx-acme
nixos/nginx: allow using existing ACME certificate
Diffstat (limited to 'nixos/modules/services/web-servers')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 19 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/vhost-options.nix | 16 |
2 files changed, 30 insertions, 5 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 2951e63e863e..100fabf902f8 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -15,6 +15,9 @@ let } // (optionalAttrs vhostConfig.enableACME { sslCertificate = "/var/lib/acme/${serverName}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${serverName}/key.pem"; + }) // (optionalAttrs (vhostConfig.useACMEHost != null) { + sslCertificate = "/var/lib/acme/${vhostConfig.useACMEHost}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${vhostConfig.useACMEHost}/key.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; @@ -174,7 +177,7 @@ let redirectListen = filter (x: !x.ssl) defaultListen; - acmeLocation = '' + acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) '' location /.well-known/acme-challenge { ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} root ${vhost.acmeRoot}; @@ -194,7 +197,7 @@ let ${concatMapStringsSep "\n" listenString redirectListen} server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; - ${optionalString vhost.enableACME acmeLocation} + ${acmeLocation} location / { return 301 https://$host$request_uri; } @@ -204,7 +207,7 @@ let server { ${concatMapStringsSep "\n" listenString hostListen} server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; - ${optionalString vhost.enableACME acmeLocation} + ${acmeLocation} ${optionalString (vhost.root != null) "root ${vhost.root};"} ${optionalString (vhost.globalRedirect != null) '' return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; @@ -555,6 +558,14 @@ in are mutually exclusive. ''; } + + { + assertion = all (conf: !(conf.enableACME && conf.useACMEHost != null)) (attrValues virtualHosts); + message = '' + Options services.nginx.service.virtualHosts.<name>.enableACME and + services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive. + ''; + } ]; systemd.services.nginx = { @@ -580,7 +591,7 @@ in security.acme.certs = filterAttrs (n: v: v != {}) ( let vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts; - acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME) vhostsConfigs; + acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs; acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = { user = cfg.user; group = lib.mkDefault cfg.group; diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 29f08cc4f307..bf18108a1a3c 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -48,7 +48,21 @@ with lib; enableACME = mkOption { type = types.bool; default = false; - description = "Whether to ask Let's Encrypt to sign a certificate for this vhost."; + description = '' + Whether to ask Let's Encrypt to sign a certificate for this vhost. + Alternately, you can use an existing certificate through <option>useACMEHost</option>. + ''; + }; + + useACMEHost = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + A host of an existing Let's Encrypt certificate to use. + This is useful if you have many subdomains and want to avoid hitting the + <link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>. + Alternately, you can generate a certificate through <option>enableACME</option>. + ''; }; acmeRoot = mkOption { |