public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/modules/security/acme.nix: add server option

Browse Source 
Add a new option permitting to point certbot to an ACME Directory
Resource URI other than Let's Encrypt production/staging one.

In the meantime, we are deprecating the now useless Let's Encrypt
production flag.
This commit is contained in:
Félix Baylac-Jacqué 2019-10-26 00:40:51 +02:00
parent 91a714000a
commit 5671fa2396
1 changed files with 29 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
nixos/modules/security/acme.nix
View File

@ -20,6 +20,16 @@ let
''; '';
}; };
server = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
ACME Directory Resource URI. Defaults to let's encrypt
production endpoint,
https://acme-v02.api.letsencrypt.org/directory, if unset.
'';
};
domain = mkOption { domain = mkOption {
type = types.str; type = types.str;
default = name; default = name;
@ -109,7 +119,15 @@ in
{ {
###### interface ###### interface
imports = [
(mkRemovedOptionModule [ "security" "acme" "production" ] ''
Use security.acme.server to define your staging ACME server URL instead.
To use the let's encrypt staging server, use security.acme.server =
"https://acme-staging-v02.api.letsencrypt.org/directory".
''
)
];
options = { options = {
security.acme = { security.acme = {
@ -129,6 +147,16 @@ in
''; '';
}; };
server = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
ACME Directory Resource URI. Defaults to let's encrypt
production endpoint,
<literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset.
'';
};
preliminarySelfsigned = mkOption { preliminarySelfsigned = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
@ -142,20 +170,6 @@ in
''; '';
}; };
production = mkOption {
type = types.bool;
default = true;
description = ''
If set to true, use Let's Encrypt's production environment
instead of the staging environment. The main benefit of the
staging environment is to get much higher rate limits.
See
<literal>https://letsencrypt.org/docs/staging-environment</literal>
for more detail.
'';
};
certs = mkOption { certs = mkOption {
default = { }; default = { };
type = with types; attrsOf (submodule certOpts); type = with types; attrsOf (submodule certOpts);
@ -198,7 +212,7 @@ in
++ optionals (data.email != null) [ "--email" data.email ] ++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins ++ concatMap (p: [ "-f" p ]) data.plugins
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)
++ optionals (!cfg.production) ["--server" "https://acme-staging-v02.api.letsencrypt.org/directory"]; ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
acmeService = { acmeService = {
description = "Renew ACME Certificate for ${cert}"; description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" "network-online.target" ]; after = [ "network.target" "network-online.target" ];