diff options
author | Emily <vcs@emily.moe> | 2020-02-23 01:51:19 +0000 |
---|---|---|
committer | Emily <vcs@emily.moe> | 2020-02-29 16:44:04 +0000 |
commit | b522aeda5a133cbd9b2b861dced816ec9fb5fb4b (patch) | |
tree | 22d619edc84211fc011b4b2dc5e6d766a876476a /nixos/modules/security/acme.nix | |
parent | ea79a830dcf9c0059656da7f52835d2663d5c436 (diff) | |
download | nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar.gz nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar.bz2 nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar.lz nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar.xz nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.tar.zst nixpkgs-b522aeda5a133cbd9b2b861dced816ec9fb5fb4b.zip |
nixos/acme: add ocspMustStaple option
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 7da6666f79c..897c0aec618 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -136,6 +136,19 @@ let challenge to ensure the DNS entries required are available. ''; }; + + ocspMustStaple = mkOption { + type = types.bool; + default = false; + description = '' + Turns on the OCSP Must-Staple TLS extension. + Make sure you know what you're doing! See: + <itemizedlist> + <listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem> + <listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem> + </itemizedlist> + ''; + }; }; }; @@ -288,8 +301,11 @@ in ++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains) ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ]) ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; - runOpts = escapeShellArgs (globalOpts ++ [ "run" ]); - renewOpts = escapeShellArgs (globalOpts ++ [ "renew" "--days" (toString cfg.validMinDays) ]); + certOpts = optionals data.ocspMustStaple [ "--must-staple" ]; + runOpts = escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts); + renewOpts = escapeShellArgs (globalOpts ++ + [ "renew" "--days" (toString cfg.validMinDays) ] ++ + certOpts); acmeService = { description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; |