diff options
| author | Jan Tojnar <jtojnar@gmail.com> | 2017-10-23 05:40:39 +0200 |
|---|---|---|
| committer | Jan Tojnar <jtojnar@gmail.com> | 2018-01-15 13:48:45 +0100 |
| commit | 41d252d7a4be12db7cec5a47468cee1024525eca (patch) | |
| tree | a75d377f14507b2bd2f8fbfc1dddc3ffe8d78a97 /nixos/modules/services/web-servers/nginx/default.nix | |
| parent | ee4e6ebbfaad09a20f8b447e084444449583f505 (diff) | |
| download | nixpkgs-41d252d7a4be12db7cec5a47468cee1024525eca.tar nixpkgs-41d252d7a4be12db7cec5a47468cee1024525eca.tar.gz nixpkgs-41d252d7a4be12db7cec5a47468cee1024525eca.tar.bz2 nixpkgs-41d252d7a4be12db7cec5a47468cee1024525eca.tar.lz nixpkgs-41d252d7a4be12db7cec5a47468cee1024525eca.tar.xz nixpkgs-41d252d7a4be12db7cec5a47468cee1024525eca.tar.zst nixpkgs-41d252d7a4be12db7cec5a47468cee1024525eca.zip | |
nixos/nginx: allow using existing ACME certificate
When a domain has a lot of subdomains, it is quite easy to hit the rate limit: https://letsencrypt.org/docs/rate-limits/ Instead you can define the certificate manually in `security.acme.certs` and list the subdomains in the `extraDomains` option.
Diffstat (limited to 'nixos/modules/services/web-servers/nginx/default.nix')
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 2951e63e863..100fabf902f 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -15,6 +15,9 @@ let } // (optionalAttrs vhostConfig.enableACME { sslCertificate = "/var/lib/acme/${serverName}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${serverName}/key.pem"; + }) // (optionalAttrs (vhostConfig.useACMEHost != null) { + sslCertificate = "/var/lib/acme/${vhostConfig.useACMEHost}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${vhostConfig.useACMEHost}/key.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; @@ -174,7 +177,7 @@ let redirectListen = filter (x: !x.ssl) defaultListen; - acmeLocation = '' + acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) '' location /.well-known/acme-challenge { ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} root ${vhost.acmeRoot}; @@ -194,7 +197,7 @@ let ${concatMapStringsSep "\n" listenString redirectListen} server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; - ${optionalString vhost.enableACME acmeLocation} + ${acmeLocation} location / { return 301 https://$host$request_uri; } @@ -204,7 +207,7 @@ let server { ${concatMapStringsSep "\n" listenString hostListen} server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; - ${optionalString vhost.enableACME acmeLocation} + ${acmeLocation} ${optionalString (vhost.root != null) "root ${vhost.root};"} ${optionalString (vhost.globalRedirect != null) '' return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; @@ -555,6 +558,14 @@ in are mutually exclusive. ''; } + + { + assertion = all (conf: !(conf.enableACME && conf.useACMEHost != null)) (attrValues virtualHosts); + message = '' + Options services.nginx.service.virtualHosts.<name>.enableACME and + services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive. + ''; + } ]; systemd.services.nginx = { @@ -580,7 +591,7 @@ in security.acme.certs = filterAttrs (n: v: v != {}) ( let vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts; - acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME) vhostsConfigs; + acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs; acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = { user = cfg.user; group = lib.mkDefault cfg.group; |