diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 5940f471883..aacdcbdd53d 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -6,10 +6,11 @@ let
cfg = config.security.acme;
- certOpts = { ... }: {
+ certOpts = { name, ... }: {
options = {
webroot = mkOption {
type = types.str;
+ example = "/var/lib/acme/acme-challenges";
description = ''
Where the webroot of the HTTP vhost is located.
.well-known/acme-challenge/ directory
@@ -20,8 +21,8 @@ let
};
domain = mkOption {
- type = types.nullOr types.str;
- default = null;
+ type = types.str;
+ default = name;
description = "Domain to fetch certificate for (defaults to the entry name)";
};
@@ -48,7 +49,7 @@ let
default = false;
description = ''
Give read permissions to the specified group
- () to read SSL private certificates.
+ () to read SSL private certificates.
'';
};
@@ -87,7 +88,7 @@ let
}
'';
description = ''
- Extra domain names for which certificates are to be issued, with their
+ A list of extra domain names, which are included in the one certificate to be issued, with their
own server roots if needed.
'';
};
@@ -193,10 +194,9 @@ in
servicesLists = mapAttrsToList certToServices cfg.certs;
certToServices = cert: data:
let
- domain = if data.domain != null then data.domain else cert;
cpath = "${cfg.directory}/${cert}";
rights = if data.allowKeysForGroup then "750" else "700";
- cmdline = [ "-v" "-d" domain "--default_root" data.webroot "--valid_min" cfg.validMin "--tos_sha256" cfg.tosHash ]
+ cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin "--tos_sha256" cfg.tosHash ]
++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)