diff options
author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2023-06-12 22:40:54 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-06-12 22:40:54 +0200 |
commit | 104455784c3fd6682f381cd4b0b476835164f92a (patch) | |
tree | 5a541dd38f0bef40d656d09b0bee6b8dfc71f4c6 /nixos | |
parent | fa3731b3fd47ba18ab0d1a380099df406f7a0d0b (diff) | |
parent | 93b9fc8ac0ecf51c393ecafe73ba80277c700165 (diff) | |
download | nixlib-104455784c3fd6682f381cd4b0b476835164f92a.tar nixlib-104455784c3fd6682f381cd4b0b476835164f92a.tar.gz nixlib-104455784c3fd6682f381cd4b0b476835164f92a.tar.bz2 nixlib-104455784c3fd6682f381cd4b0b476835164f92a.tar.lz nixlib-104455784c3fd6682f381cd4b0b476835164f92a.tar.xz nixlib-104455784c3fd6682f381cd4b0b476835164f92a.tar.zst nixlib-104455784c3fd6682f381cd4b0b476835164f92a.zip |
Merge pull request #219791 from emilylange/nixos-caddy
nixos/caddy: change `acmeCA` default to `null`, omit empty `bind` directive
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/caddy/default.nix | 20 |
2 files changed, 16 insertions, 6 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index bc10f5b587c7..a86961de6719 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -30,6 +30,8 @@ - `himalaya` has been updated to `0.8.0`, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the [release note](https://github.com/soywod/himalaya/releases/tag/v0.8.0) for more details. +- The [services.caddy.acmeCA](#opt-services.caddy.acmeCA) option now defaults to `null` instead of `"https://acme-v02.api.letsencrypt.org/directory"`, to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream. + - `util-linux` is now supported on Darwin and is no longer an alias to `unixtools`. Use the `unixtools.util-linux` package for access to the Apple variants of the utilities. - `fileSystems.<name>.autoFormat` now uses `systemd-makefs`, which does not accept formatting options. Therefore, `fileSystems.<name>.formatOptions` has been removed. diff --git a/nixos/modules/services/web-servers/caddy/default.nix b/nixos/modules/services/web-servers/caddy/default.nix index f5a9cfac5d77..70715a237250 100644 --- a/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixos/modules/services/web-servers/caddy/default.nix @@ -14,7 +14,7 @@ let in '' ${hostOpts.hostName} ${concatStringsSep " " hostOpts.serverAliases} { - bind ${concatStringsSep " " hostOpts.listenAddresses} + ${optionalString (hostOpts.listenAddresses != [ ]) "bind ${concatStringsSep " " hostOpts.listenAddresses}"} ${optionalString (hostOpts.useACMEHost != null) "tls ${sslCertDir}/cert.pem ${sslCertDir}/key.pem"} log { ${hostOpts.logFormat} @@ -245,15 +245,23 @@ in }; acmeCA = mkOption { - default = "https://acme-v02.api.letsencrypt.org/directory"; - example = "https://acme-staging-v02.api.letsencrypt.org/directory"; + default = null; + example = "https://acme-v02.api.letsencrypt.org/directory"; type = with types; nullOr str; description = lib.mdDoc '' + ::: {.note} + Sets the [`acme_ca` option](https://caddyserver.com/docs/caddyfile/options#acme-ca) + in the global options block of the resulting Caddyfile. + ::: + The URL to the ACME CA's directory. It is strongly recommended to set - this to Let's Encrypt's staging endpoint for testing or development. + this to `https://acme-staging-v02.api.letsencrypt.org/directory` for + Let's Encrypt's [staging endpoint](https://letsencrypt.org/docs/staging-environment/) + while testing or in development. - Set it to `null` if you want to write a more - fine-grained configuration manually. + Value `null` should be prefered for production setups, + as it omits the `acme_ca` option to enable + [automatic issuer fallback](https://caddyserver.com/docs/automatic-https#issuer-fallback). ''; }; |