summary refs log tree commit diff
path: root/nixos/modules/security/acme.nix
diff options
context:
space:
mode:
authorEmily <vcs@emily.moe>2020-02-23 01:51:19 +0000
committerEmily <vcs@emily.moe>2020-02-29 16:44:04 +0000
commitb522aeda5a133cbd9b2b861dced816ec9fb5fb4b (patch)
tree22d619edc84211fc011b4b2dc5e6d766a876476a /nixos/modules/security/acme.nix
parentea79a830dcf9c0059656da7f52835d2663d5c436 (diff)
downloadnixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar
nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar.gz
nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar.bz2
nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar.lz
nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar.xz
nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar.zst
nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.zip
nixos/acme: add ocspMustStaple option
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r--nixos/modules/security/acme.nix20


1 files changed, 18 insertions, 2 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 7da6666f79c..897c0aec618 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -136,6 +136,19 @@ let
           challenge to ensure the DNS entries required are available.
         '';
       };
+
+      ocspMustStaple = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Turns on the OCSP Must-Staple TLS extension.
+          Make sure you know what you're doing! See:
+          <itemizedlist>
+            <listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem>
+            <listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem>
+          </itemizedlist>
+        '';
+      };
     };
   };
 
@@ -288,8 +301,11 @@ in
                           ++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
                           ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ])
                           ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
-                runOpts = escapeShellArgs (globalOpts ++ [ "run" ]);
-                renewOpts = escapeShellArgs (globalOpts ++ [ "renew" "--days" (toString cfg.validMinDays) ]);
+                certOpts = optionals data.ocspMustStaple [ "--must-staple" ];
+                runOpts = escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts);
+                renewOpts = escapeShellArgs (globalOpts ++
+                  [ "renew" "--days" (toString cfg.validMinDays) ] ++
+                  certOpts);
                 acmeService = {
                   description = "Renew ACME Certificate for ${cert}";
                   after = [ "network.target" "network-online.target" ];

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-27 18:49:25 +0000