diff options
author | IndeedNotJames <git@indeednotjames.com> | 2023-06-05 17:59:08 +0200 |
---|---|---|
committer | emilylange <git@emilylange.de> | 2023-06-10 13:59:10 +0200 |
commit | 3f93ec5814547ea75c709058dae0a14c17c98758 (patch) | |
tree | ba5c1e5e0c4f50bdfb89209a3ac8ac34a02ad469 /nixos/modules | |
parent | 5233b6d09b1bf2db66230e60cf08404b01db7b31 (diff) | |
download | nixlib-3f93ec5814547ea75c709058dae0a14c17c98758.tar nixlib-3f93ec5814547ea75c709058dae0a14c17c98758.tar.gz nixlib-3f93ec5814547ea75c709058dae0a14c17c98758.tar.bz2 nixlib-3f93ec5814547ea75c709058dae0a14c17c98758.tar.lz nixlib-3f93ec5814547ea75c709058dae0a14c17c98758.tar.xz nixlib-3f93ec5814547ea75c709058dae0a14c17c98758.tar.zst nixlib-3f93ec5814547ea75c709058dae0a14c17c98758.zip |
nixos/caddy: change `acmeCA` default to `null`
The nixos/caddy module is somewhat old by now and has undergone quite some refactors. This specific module option (originally named `ca`) used to make a bit more sense when Caddy did not have multiple ACME CAs as fallback (LE & ZeroSSL) by configured by default yet (ZeroSSL came with v2.3.0). I also rephrased the description slightly, to mention Caddy's automatic issuer fallback and a note which this option maps to in the Caddyfile, to provide a bit more context and a more up-to-date recommendation. Specifically that "fine-grained configuration" section comes from a time when this module did some custom tls/issuer config json merging with the templated Caddyfile using `jq`. The "The URL to the ACME CA's directory" section is a word-for-word copy from the official Caddy docs, which also include a link to LE's docs to the referenced staging endpoint. So I added that as well.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/web-servers/caddy/default.nix | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/nixos/modules/services/web-servers/caddy/default.nix b/nixos/modules/services/web-servers/caddy/default.nix index f5a9cfac5d77..b253a04150d7 100644 --- a/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixos/modules/services/web-servers/caddy/default.nix @@ -245,15 +245,23 @@ in }; acmeCA = mkOption { - default = "https://acme-v02.api.letsencrypt.org/directory"; - example = "https://acme-staging-v02.api.letsencrypt.org/directory"; + default = null; + example = "https://acme-v02.api.letsencrypt.org/directory"; type = with types; nullOr str; description = lib.mdDoc '' + ::: {.note} + Sets the [`acme_ca` option](https://caddyserver.com/docs/caddyfile/options#acme-ca) + in the global options block of the resulting Caddyfile. + ::: + The URL to the ACME CA's directory. It is strongly recommended to set - this to Let's Encrypt's staging endpoint for testing or development. + this to `https://acme-staging-v02.api.letsencrypt.org/directory` for + Let's Encrypt's [staging endpoint](https://letsencrypt.org/docs/staging-environment/) + while testing or in development. - Set it to `null` if you want to write a more - fine-grained configuration manually. + Value `null` should be prefered for production setups, + as it omits the `acme_ca` option to enable + [automatic issuer fallback](https://caddyserver.com/docs/automatic-https#issuer-fallback). ''; }; |