public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #18366 from groxxda/acme-loop

Browse Source 
security.acme: require networking for client, remove loop without fallbackHost
This commit is contained in:
Franz Pletz 2016-09-06 23:02:07 +02:00 committed by GitHub
commit 9190dbcc0e
3 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/security/acme.nix
View File

@ -166,7 +166,8 @@ in
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains); ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
acmeService = { acmeService = {
description = "Renew ACME Certificate for ${cert}"; description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" ]; after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
SuccessExitStatus = [ "0" "1" ]; SuccessExitStatus = [ "0" "1" ];

7
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -114,17 +114,18 @@ let
port = if vhost.port != null then vhost.port else (if ssl then 443 else 80); port = if vhost.port != null then vhost.port else (if ssl then 443 else 80);
listenString = toString port + optionalString ssl " ssl http2" listenString = toString port + optionalString ssl " ssl http2"
+ optionalString vhost.default " default"; + optionalString vhost.default " default";
acmeLocation = optionalString vhost.enableACME '' acmeLocation = optionalString vhost.enableACME (''
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
try_files $uri @acme-fallback; ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
root ${vhost.acmeRoot}; root ${vhost.acmeRoot};
auth_basic off; auth_basic off;
} }
'' + (optionalString (vhost.acmeFallbackHost != null) ''
location @acme-fallback { location @acme-fallback {
auth_basic off; auth_basic off;
proxy_pass http://${vhost.acmeFallbackHost}; proxy_pass http://${vhost.acmeFallbackHost};
} }
''; ''));
in '' in ''
${optionalString vhost.forceSSL '' ${optionalString vhost.forceSSL ''
server { server {

4
nixos/modules/services/web-servers/nginx/vhost-options.nix
View File

@ -39,8 +39,8 @@ with lib;
}; };
acmeFallbackHost = mkOption { acmeFallbackHost = mkOption {
type = types.str; type = types.nullOr types.str;
default = "0.0.0.0"; default = null;
description = '' description = ''
Host which to proxy requests to if acme challenge is not found. Useful Host which to proxy requests to if acme challenge is not found. Useful
if you want multiple hosts to be able to verify the same domain name. if you want multiple hosts to be able to verify the same domain name.