diff options
author | Yegor Timoshenko <yegortimoshenko@riseup.net> | 2020-03-03 03:57:40 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-03 03:57:40 +0300 |
commit | c16f2218da6928ca52bb500cbebe4c62a67f90f8 (patch) | |
tree | a1c27ae6ccf391343754686c19adeed07cbe5790 /nixos | |
parent | 31aefc74c5f070ce3156136d7a320372c9543b42 (diff) | |
parent | ffb7b984b2c5e07384536f3f0e25db819ca84eef (diff) | |
download | nixpkgs-c16f2218da6928ca52bb500cbebe4c62a67f90f8.tar nixpkgs-c16f2218da6928ca52bb500cbebe4c62a67f90f8.tar.gz nixpkgs-c16f2218da6928ca52bb500cbebe4c62a67f90f8.tar.bz2 nixpkgs-c16f2218da6928ca52bb500cbebe4c62a67f90f8.tar.lz nixpkgs-c16f2218da6928ca52bb500cbebe4c62a67f90f8.tar.xz nixpkgs-c16f2218da6928ca52bb500cbebe4c62a67f90f8.tar.zst nixpkgs-c16f2218da6928ca52bb500cbebe4c62a67f90f8.zip |
Merge pull request #80900 from emilazy/acme-must-staple
nixos/acme: Must-Staple and extra flags
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/acme.nix | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 65bd57242ff..211199d148d 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -136,6 +136,27 @@ let challenge to ensure the DNS entries required are available. ''; }; + + ocspMustStaple = mkOption { + type = types.bool; + default = false; + description = '' + Turns on the OCSP Must-Staple TLS extension. + Make sure you know what you're doing! See: + <itemizedlist> + <listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem> + <listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem> + </itemizedlist> + ''; + }; + + extraLegoRenewFlags = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Additional flags to pass to lego renew. + ''; + }; }; }; @@ -288,8 +309,11 @@ in ++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains) ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ]) ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; - runOpts = escapeShellArgs (globalOpts ++ [ "run" ]); - renewOpts = escapeShellArgs (globalOpts ++ [ "renew" "--days" (toString cfg.validMinDays) ]); + certOpts = optionals data.ocspMustStaple [ "--must-staple" ]; + runOpts = escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts); + renewOpts = escapeShellArgs (globalOpts ++ + [ "renew" "--days" (toString cfg.validMinDays) ] ++ + certOpts ++ data.extraLegoRenewFlags); acmeService = { description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; |