public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/acme: ignore tmpfiles rules for null webroots

This commit is contained in:
Lucas Savva 2020-01-15 09:17:11 +00:00
parent 9467f2ba2c
commit 61665e3363
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nixos/modules/security/acme.nix
View File

@ -7,7 +7,8 @@ let
certOpts = { name, ... }: { certOpts = { name, ... }: {
options = { options = {
webroot = mkOption { webroot = mkOption {
type = types.str; type = types.nullOr types.str;
default = null;
example = "/var/lib/acme/acme-challenges"; example = "/var/lib/acme/acme-challenges";
description = '' description = ''
Where the webroot of the HTTP vhost is located. Where the webroot of the HTTP vhost is located.
@ -98,8 +99,8 @@ let
dnsProvider = mkOption { dnsProvider = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
example = "route53";
default = null; default = null;
example = "route53";
description = "DNS Challenge provider"; description = "DNS Challenge provider";
}; };
@ -261,7 +262,7 @@ in
email = if data.email == null then cfg.email else data.email; email = if data.email == null then cfg.email else data.email;
globalOpts = [ "-d" data.domain "--email" email "--path" "." ] globalOpts = [ "-d" data.domain "--email" email "--path" "." ]
++ optionals (cfg.acceptTerms) [ "--accept-tos" ] ++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
++ optionals (data.dnsProvider != null && !cfg.dnsPropagationCheck) [ "--dns.disable-cp" ] ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains) ++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ]) ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ])
++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
@ -373,8 +374,7 @@ in
servicesAttr; servicesAttr;
systemd.tmpfiles.rules = systemd.tmpfiles.rules =
flip mapAttrsToList cfg.certs map (data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}") (filter (data: data.webroot != null) (attrValues cfg.certs));
(cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");
systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
("acme-${cert}") ("acme-${cert}")