caddy service: add options to change ACME certificate authority (#16969)

and agree to let's encrypt subscriber agreement

1 files changed, 21 insertions, 5 deletions

diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix
index b84431373bd1..0666dfddaffd 100644
--- a/nixos/modules/services/web-servers/caddy.nix
+++ b/nixos/modules/services/web-servers/caddy.nix
@@ -14,12 +14,26 @@ in
       description = "Verbatim Caddyfile to use";
     };
 
+    ca = mkOption {
+      default = "https://acme-v01.api.letsencrypt.org/directory";
+      example = "https://acme-staging.api.letsencrypt.org/directory";
+      type = types.string;
+      description = "Certificate authority ACME server. The default (Let's Encrypt production server) should be fine for most people.";
+    };
+
     email = mkOption {
       default = "";
       type = types.string;
       description = "Email address (for Let's Encrypt certificate)";
     };
 
+    agree = mkOption {
+      default = false;
+      example = true;
+      type = types.bool;
+      description = "Agree to Let's Encrypt Subscriber Agreement";
+    };
+
     dataDir = mkOption {
       default = "/var/lib/caddy";
       type = types.path;
@@ -33,11 +47,13 @@ in
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
-        ExecStart = "${pkgs.caddy.bin}/bin/caddy -conf=${configFile} -email=${cfg.email}";
-	Type = "simple";
-	User = "caddy";
-	Group = "caddy";
-	AmbientCapabilities = "cap_net_bind_service";
+        ExecStart = ''${pkgs.caddy.bin}/bin/caddy -conf=${configFile} \
+          -ca=${cfg.ca} -email=${cfg.email} ${optionalString cfg.agree "-agree"}
+        '';
+        Type = "simple";
+        User = "caddy";
+        Group = "caddy";
+        AmbientCapabilities = "cap_net_bind_service";
       };
     };