diff options
| author | Félix Baylac-Jacqué <felix@alternativebit.fr> | 2019-10-26 00:40:51 +0200 |
|---|---|---|
| committer | Félix Baylac-Jacqué <felix@alternativebit.fr> | 2019-10-30 11:08:12 +0100 |
| commit | 5671fa2396886c038ed0c28af9797e8b16786783 (patch) | |
| tree | f775365850a796d0889c615591a6aa64d89269dc /nixos/modules/security/acme.nix | |
| parent | 91a714000ac54457e5e2996be00096bbdb8ae624 (diff) | |
| download | nixpkgs-5671fa2396886c038ed0c28af9797e8b16786783.tar nixpkgs-5671fa2396886c038ed0c28af9797e8b16786783.tar.gz nixpkgs-5671fa2396886c038ed0c28af9797e8b16786783.tar.bz2 nixpkgs-5671fa2396886c038ed0c28af9797e8b16786783.tar.lz nixpkgs-5671fa2396886c038ed0c28af9797e8b16786783.tar.xz nixpkgs-5671fa2396886c038ed0c28af9797e8b16786783.tar.zst nixpkgs-5671fa2396886c038ed0c28af9797e8b16786783.zip | |
nixos/modules/security/acme.nix: add server option
Add a new option permitting to point certbot to an ACME Directory Resource URI other than Let's Encrypt production/staging one. In the meantime, we are deprecating the now useless Let's Encrypt production flag.
Diffstat (limited to 'nixos/modules/security/acme.nix')
| -rw-r--r-- | nixos/modules/security/acme.nix | 46 |
1 files changed, 30 insertions, 16 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index cbeb99cfcef..d14613f22b0 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -20,6 +20,16 @@ let ''; }; + server = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + ACME Directory Resource URI. Defaults to let's encrypt + production endpoint, + https://acme-v02.api.letsencrypt.org/directory, if unset. + ''; + }; + domain = mkOption { type = types.str; default = name; @@ -109,7 +119,15 @@ in { ###### interface - + imports = [ + (mkRemovedOptionModule [ "security" "acme" "production" ] '' + Use security.acme.server to define your staging ACME server URL instead. + + To use the let's encrypt staging server, use security.acme.server = + "https://acme-staging-v02.api.letsencrypt.org/directory". + '' + ) + ]; options = { security.acme = { @@ -129,6 +147,16 @@ in ''; }; + server = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + ACME Directory Resource URI. Defaults to let's encrypt + production endpoint, + <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset. + ''; + }; + preliminarySelfsigned = mkOption { type = types.bool; default = true; @@ -142,20 +170,6 @@ in ''; }; - production = mkOption { - type = types.bool; - default = true; - description = '' - If set to true, use Let's Encrypt's production environment - instead of the staging environment. The main benefit of the - staging environment is to get much higher rate limits. - - See - <literal>https://letsencrypt.org/docs/staging-environment</literal> - for more detail. - ''; - }; - certs = mkOption { default = { }; type = with types; attrsOf (submodule certOpts); @@ -198,7 +212,7 @@ in ++ optionals (data.email != null) [ "--email" data.email ] ++ concatMap (p: [ "-f" p ]) data.plugins ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) - ++ optionals (!cfg.production) ["--server" "https://acme-staging-v02.api.letsencrypt.org/directory"]; + ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; acmeService = { description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; |