Using builtins.readFile to load upstream defaults is a clever trick, but
it's not allowed in restricted evaluation mode: which means it fails on
Hydra, for example. Besides - in Nixpkgs - depending on derivation as
inputs is considered bad practice and should be avoided.
Without this option all changes done with Caddy API are lost after reboot.
Current service is not supporting Caddy --resume parameter. There is reference to original unit https://github.com/caddyserver/dist/blob/master/init/caddy.service which also mentions --resume and that it should be used if new Caddy API will be used.
The generated json configuration returns this warning:
the 'issuer' field is deprecated and will be removed in the future; use 'issuers' instead
Updated the config to use "issuers" instead of "issuer"
Also, now it's possible to set the ca option null to not inject
automatically any ca. This is useful if you don't want to generate any
certificates or if you want to define a more fine-graned ca config
manually (e.g.: use different ca per domain)
Some ACME providers (like Buypass) are using a different certificate
to sign OCSP responses than for server certificates. Therefore,
sslTrustedCertificate should be provided by the user and we need to
allow that.
This allows the user to manually specify the addresses nginx shoud
listen on, while still having the convinience to use the *SSL options
and have the ports automatically applied
`allowKeysForGroup` is no longer available so this drops
```
security.acme.certs."example.com".allowKeysForGroup = true;
```
line. `SupplementaryGroups` should be enough for
allowing access to certificates.
- Set an explicit umask that allows u+rwx and g+r.
- Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be
no need to access either.
- Adds `ProtectClock` to prevent write-access to the system clock.
- `ProtectProc` hides processes from other users within the /proc
filesystem and `ProcSubSet` hides all files/directories unrelated to
the process management of the units process.
- Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I
know of.
- Restricts the creation of arbitrary namespaces
- Adds a reasonable `SystemCallFilter` preventing calls to @privileged,
@obsolete and others.
And finally applies some sorting based on the order these options appear
in systemd.exec(5).