diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-09-06 23:02:07 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-09-06 23:02:07 +0200 |
commit | 9190dbcc0e4f42487886916a0309aa3236d76df6 (patch) | |
tree | 20731fc56063385852762662bfe49206d64e3117 /nixos | |
parent | c5e9049ac30948529114f3495d0145d3ac2689de (diff) | |
parent | e84b803300033a030907f351b5a5c6fa671b7bf6 (diff) | |
download | nixlib-9190dbcc0e4f42487886916a0309aa3236d76df6.tar nixlib-9190dbcc0e4f42487886916a0309aa3236d76df6.tar.gz nixlib-9190dbcc0e4f42487886916a0309aa3236d76df6.tar.bz2 nixlib-9190dbcc0e4f42487886916a0309aa3236d76df6.tar.lz nixlib-9190dbcc0e4f42487886916a0309aa3236d76df6.tar.xz nixlib-9190dbcc0e4f42487886916a0309aa3236d76df6.tar.zst nixlib-9190dbcc0e4f42487886916a0309aa3236d76df6.zip |
Merge pull request #18366 from groxxda/acme-loop
security.acme: require networking for client, remove loop without fallbackHost
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/acme.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 7 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/vhost-options.nix | 4 |
3 files changed, 8 insertions, 6 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 3dac558b9537..45e8f64046b0 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -166,7 +166,8 @@ in ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains); acmeService = { description = "Renew ACME Certificate for ${cert}"; - after = [ "network.target" ]; + after = [ "network.target" "network-online.target" ]; + wants = [ "network-online.target" ]; serviceConfig = { Type = "oneshot"; SuccessExitStatus = [ "0" "1" ]; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 6e62606f323e..94c442e165b7 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -114,17 +114,18 @@ let port = if vhost.port != null then vhost.port else (if ssl then 443 else 80); listenString = toString port + optionalString ssl " ssl http2" + optionalString vhost.default " default"; - acmeLocation = optionalString vhost.enableACME '' + acmeLocation = optionalString vhost.enableACME ('' location /.well-known/acme-challenge { - try_files $uri @acme-fallback; + ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} root ${vhost.acmeRoot}; auth_basic off; } + '' + (optionalString (vhost.acmeFallbackHost != null) '' location @acme-fallback { auth_basic off; proxy_pass http://${vhost.acmeFallbackHost}; } - ''; + '')); in '' ${optionalString vhost.forceSSL '' server { diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index ee3f68bf8059..dcebbc9229fc 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -39,8 +39,8 @@ with lib; }; acmeFallbackHost = mkOption { - type = types.str; - default = "0.0.0.0"; + type = types.nullOr types.str; + default = null; description = '' Host which to proxy requests to if acme challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name. |