diff options
author | Florian Klink <flokli@flokli.de> | 2019-10-30 12:17:51 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-10-30 12:17:51 +0100 |
commit | 992035cff0fe9400b66440ee8ab401c8488aed53 (patch) | |
tree | be0477db1ce4b7844099243c03b44607372cc43a /nixos | |
parent | aad81ec8cd158a9e11f4d35fc6022d1300fcb4c6 (diff) | |
parent | 781f0cf2ec3d18afa7e9f276ea87da4017934fee (diff) | |
download | nixpkgs-992035cff0fe9400b66440ee8ab401c8488aed53.tar nixpkgs-992035cff0fe9400b66440ee8ab401c8488aed53.tar.gz nixpkgs-992035cff0fe9400b66440ee8ab401c8488aed53.tar.bz2 nixpkgs-992035cff0fe9400b66440ee8ab401c8488aed53.tar.lz nixpkgs-992035cff0fe9400b66440ee8ab401c8488aed53.tar.xz nixpkgs-992035cff0fe9400b66440ee8ab401c8488aed53.tar.zst nixpkgs-992035cff0fe9400b66440ee8ab401c8488aed53.zip |
Merge pull request #72007 from NinjaTrappeur/nin-acme-custom-dir-uri
nixos/acme: Custom ACME endpoint
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/acme.nix | 46 | ||||
-rw-r--r-- | nixos/tests/acme.nix | 9 | ||||
-rw-r--r-- | nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch | 25 | ||||
-rw-r--r-- | nixos/tests/common/letsencrypt/default.nix | 12 |
4 files changed, 38 insertions, 54 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index cbeb99cfcef..d14613f22b0 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -20,6 +20,16 @@ let ''; }; + server = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + ACME Directory Resource URI. Defaults to let's encrypt + production endpoint, + https://acme-v02.api.letsencrypt.org/directory, if unset. + ''; + }; + domain = mkOption { type = types.str; default = name; @@ -109,7 +119,15 @@ in { ###### interface - + imports = [ + (mkRemovedOptionModule [ "security" "acme" "production" ] '' + Use security.acme.server to define your staging ACME server URL instead. + + To use the let's encrypt staging server, use security.acme.server = + "https://acme-staging-v02.api.letsencrypt.org/directory". + '' + ) + ]; options = { security.acme = { @@ -129,6 +147,16 @@ in ''; }; + server = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + ACME Directory Resource URI. Defaults to let's encrypt + production endpoint, + <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset. + ''; + }; + preliminarySelfsigned = mkOption { type = types.bool; default = true; @@ -142,20 +170,6 @@ in ''; }; - production = mkOption { - type = types.bool; - default = true; - description = '' - If set to true, use Let's Encrypt's production environment - instead of the staging environment. The main benefit of the - staging environment is to get much higher rate limits. - - See - <literal>https://letsencrypt.org/docs/staging-environment</literal> - for more detail. - ''; - }; - certs = mkOption { default = { }; type = with types; attrsOf (submodule certOpts); @@ -198,7 +212,7 @@ in ++ optionals (data.email != null) [ "--email" data.email ] ++ concatMap (p: [ "-f" p ]) data.plugins ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) - ++ optionals (!cfg.production) ["--server" "https://acme-staging-v02.api.letsencrypt.org/directory"]; + ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; acmeService = { description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 85d32d10944..206d97849f0 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -12,8 +12,11 @@ in import ./make-test.nix { networking.extraHosts = '' ${config.networking.primaryIPAddress} standalone.com ''; - security.acme.certs."standalone.com" = { - webroot = "/var/lib/acme/acme-challenges"; + security.acme = { + server = "https://acme-v02.api.letsencrypt.org/dir"; + certs."standalone.com" = { + webroot = "/var/lib/acme/acme-challenges"; + }; }; systemd.targets."acme-finished-standalone.com" = {}; systemd.services."acme-standalone.com" = { @@ -54,6 +57,8 @@ in import ./make-test.nix { ''; }; + security.acme.server = "https://acme-v02.api.letsencrypt.org/dir"; + nesting.clone = [ ({pkgs, ...}: { diff --git a/nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch b/nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch deleted file mode 100644 index 9d4a483dd88..00000000000 --- a/nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch +++ /dev/null @@ -1,25 +0,0 @@ -From c3b4004386074342d22cab5e129c1f7e623f4272 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr> -Date: Mon, 21 Oct 2019 10:56:13 +0200 -Subject: [PATCH] Change ACME directory endpoint to /directory - ---- - wfe/wfe.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/wfe/wfe.go b/wfe/wfe.go -index e24797f..10d29fb 100644 ---- a/wfe/wfe.go -+++ b/wfe/wfe.go -@@ -39,7 +39,7 @@ const ( - // Note: We deliberately pick endpoint paths that differ from Boulder to - // exercise clients processing of the /directory response - // We export the DirectoryPath so that the pebble binary can reference it -- DirectoryPath = "/dir" -+ DirectoryPath = "/directory" - noncePath = "/nonce-plz" - newAccountPath = "/sign-me-up" - acctPath = "/my-account/" --- -2.23.0 - diff --git a/nixos/tests/common/letsencrypt/default.nix b/nixos/tests/common/letsencrypt/default.nix index aaf2896f21c..110a2520971 100644 --- a/nixos/tests/common/letsencrypt/default.nix +++ b/nixos/tests/common/letsencrypt/default.nix @@ -62,17 +62,7 @@ let siteDomain = "letsencrypt.org"; siteCertFile = snakeOilCerts.${siteDomain}.cert; siteKeyFile = snakeOilCerts.${siteDomain}.key; - pebble = pkgs.pebble.overrideAttrs (attrs: { - # The pebble directory endpoint is /dir when the bouder (official - # ACME server) is /directory. Sadly, this endpoint is hardcoded, - # we have to patch it. - # - # Tried to upstream, that said upstream maintainers rather keep - # this custom endpoint to test ACME clients robustness. See - # https://github.com/letsencrypt/pebble/issues/283#issuecomment-545123242 - patches = [ ./0001-Change-ACME-directory-endpoint-to-directory.patch ]; - }); - + pebble = pkgs.pebble; resolver = let message = "You need to define a resolver for the letsencrypt test module."; firstNS = lib.head config.networking.nameservers; |