Merge pull request #18366 from groxxda/acme-loop

security.acme: require networking for client, remove loop without fallbackHost
2024-11-20 04:31:52 +00:00 · 2016-09-06 23:02:07 +02:00 · 2016-09-06 23:02:07 +02:00 · 9190dbcc0e
parent c5e9049ac3 e84b803300
commit 9190dbcc0e
3 changed files with 8 additions and 6 deletions
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -166,7 +166,8 @@ in
                          ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
                acmeService = {
                  description = "Renew ACME Certificate for ${cert}";
-                  after = [ "network.target" ];
+                  after = [ "network.target" "network-online.target" ];
+                  wants = [ "network-online.target" ];
                  serviceConfig = {
                    Type = "oneshot";
                    SuccessExitStatus = [ "0" "1" ];
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -114,17 +114,18 @@ let
        port = if vhost.port != null then vhost.port else (if ssl then 443 else 80);
        listenString = toString port + optionalString ssl " ssl http2"
          + optionalString vhost.default " default";
-        acmeLocation = optionalString vhost.enableACME ''
+        acmeLocation = optionalString vhost.enableACME (''
          location /.well-known/acme-challenge {
-            try_files $uri @acme-fallback;
+            ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
            root ${vhost.acmeRoot};
            auth_basic off;
          }
+        '' + (optionalString (vhost.acmeFallbackHost != null) ''
          location @acme-fallback {
            auth_basic off;
            proxy_pass http://${vhost.acmeFallbackHost};
          }
-        '';
+        ''));
      in ''
        ${optionalString vhost.forceSSL ''
          server {
--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
@ -39,8 +39,8 @@ with lib;
    };

    acmeFallbackHost = mkOption {
-      type = types.str;
-      default = "0.0.0.0";
+      type = types.nullOr types.str;
+      default = null;
      description = ''
        Host which to proxy requests to if acme challenge is not found. Useful
        if you want multiple hosts to be able to verify the same domain name.