diff options
| author | V <v@anomalous.eu> | 2021-05-21 10:07:24 +0200 |
|---|---|---|
| committer | V <v@anomalous.eu> | 2021-06-05 06:00:45 +0200 |
| commit | 6fc18eb4199e4acb6a3b53b9ec49ae56d0782895 (patch) | |
| tree | dad106f1cf282a63dd64a8fd3fa474fad03dc4bb /nixos | |
| parent | 1508c220f98d3166c8b4fda94a409e1c3a11cf79 (diff) | |
| download | nixpkgs-6fc18eb4199e4acb6a3b53b9ec49ae56d0782895.tar nixpkgs-6fc18eb4199e4acb6a3b53b9ec49ae56d0782895.tar.gz nixpkgs-6fc18eb4199e4acb6a3b53b9ec49ae56d0782895.tar.bz2 nixpkgs-6fc18eb4199e4acb6a3b53b9ec49ae56d0782895.tar.lz nixpkgs-6fc18eb4199e4acb6a3b53b9ec49ae56d0782895.tar.xz nixpkgs-6fc18eb4199e4acb6a3b53b9ec49ae56d0782895.tar.zst nixpkgs-6fc18eb4199e4acb6a3b53b9ec49ae56d0782895.zip | |
nixos/acme: Allow using lego's built-in web server
Currently, we hardcode the use of --http.webroot, even if no webroot is configured. This has the effect of disabling the built-in server. Co-authored-by: Chris Forno <jekor@jekor.com>
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/security/acme.nix | 40 |
1 files changed, 37 insertions, 3 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index c0250171109..2b466d6a85c 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -127,9 +127,8 @@ let [ "--dns" data.dnsProvider ] ++ optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ] ++ optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ] - ) else ( - [ "--http" "--http.webroot" data.webroot ] - ); + ) else if data.listenHTTP != null then [ "--http" "--http.port" data.listenHTTP ] + else [ "--http" "--http.webroot" data.webroot ]; commonOpts = [ "--accept-tos" # Checking the option is covered by the assertions @@ -268,6 +267,8 @@ let ${data.postRun} fi ''); + } // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) { + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; # Working directory will be /tmp @@ -396,6 +397,17 @@ let ''; }; + listenHTTP = mkOption { + type = types.nullOr types.str; + default = null; + example = ":1360"; + description = '' + Interface and port to listen on to solve HTTP challenges + in the form [INTERFACE]:PORT. + If you use a port other than 80, you must proxy port 80 to this port. + ''; + }; + server = mkOption { type = types.nullOr types.str; default = null; @@ -714,6 +726,28 @@ in { `security.acme.certs.${cert}.webroot` are mutually exclusive. ''; } + { + assertion = data.webroot == null || data.listenHTTP == null; + message = '' + Options `security.acme.certs.${cert}.webroot` and + `security.acme.certs.${cert}.listenHTTP` are mutually exclusive. + ''; + } + { + assertion = data.listenHTTP == null || data.dnsProvider == null; + message = '' + Options `security.acme.certs.${cert}.listenHTTP` and + `security.acme.certs.${cert}.dnsProvider` are mutually exclusive. + ''; + } + { + assertion = data.dnsProvider != null || data.webroot != null || data.listenHTTP != null; + message = '' + One of `security.acme.certs.${cert}.dnsProvider`, + `security.acme.certs.${cert}.webroot`, or + `security.acme.certs.${cert}.listenHTTP` must be provided. + ''; + } ]) cfg.certs)); users.users.acme = { |