nixos/acme: add s3Bucket option (#262806)
This commit is contained in:
parent
6e68f706e4
commit
8b37735e0e
@ -184,6 +184,7 @@ let
|
||||
certToConfig = cert: data: let
|
||||
acmeServer = data.server;
|
||||
useDns = data.dnsProvider != null;
|
||||
useDnsOrS3 = useDns || data.s3Bucket != null;
|
||||
destPath = "/var/lib/acme/${cert}";
|
||||
selfsignedDeps = optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];
|
||||
|
||||
@ -219,7 +220,8 @@ let
|
||||
[ "--dns" data.dnsProvider ]
|
||||
++ optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ]
|
||||
++ optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ]
|
||||
) else if data.listenHTTP != null then [ "--http" "--http.port" data.listenHTTP ]
|
||||
) else if data.s3Bucket != null then [ "--http" "--http.s3-bucket" data.s3Bucket ]
|
||||
else if data.listenHTTP != null then [ "--http" "--http.port" data.listenHTTP ]
|
||||
else [ "--http" "--http.webroot" data.webroot ];
|
||||
|
||||
commonOpts = [
|
||||
@ -362,13 +364,12 @@ let
|
||||
"/var/lib/acme/.lego/${cert}/${certDir}:/tmp/certificates"
|
||||
];
|
||||
|
||||
# Only try loading the environmentFile if the dns challenge is enabled
|
||||
EnvironmentFile = mkIf useDns data.environmentFile;
|
||||
EnvironmentFile = mkIf useDnsOrS3 data.environmentFile;
|
||||
|
||||
Environment = mkIf useDns
|
||||
Environment = mkIf useDnsOrS3
|
||||
(mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles);
|
||||
|
||||
LoadCredential = mkIf useDns
|
||||
LoadCredential = mkIf useDnsOrS3
|
||||
(mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles);
|
||||
|
||||
# Run as root (Prefixed with +)
|
||||
@ -755,6 +756,15 @@ let
|
||||
'';
|
||||
};
|
||||
|
||||
s3Bucket = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "acme";
|
||||
description = lib.mdDoc ''
|
||||
S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.
|
||||
'';
|
||||
};
|
||||
|
||||
inheritDefaults = mkOption {
|
||||
default = true;
|
||||
example = true;
|
||||
@ -929,32 +939,19 @@ in {
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = data.dnsProvider == null || data.webroot == null;
|
||||
assertion = lib.length (lib.filter (x: x != null) [
|
||||
data.dnsProvider
|
||||
data.webroot
|
||||
data.listenHTTP
|
||||
data.s3Bucket
|
||||
]) != 1;
|
||||
message = ''
|
||||
Options `security.acme.certs.${cert}.dnsProvider` and
|
||||
`security.acme.certs.${cert}.webroot` are mutually exclusive.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = data.webroot == null || data.listenHTTP == null;
|
||||
message = ''
|
||||
Options `security.acme.certs.${cert}.webroot` and
|
||||
`security.acme.certs.${cert}.listenHTTP` are mutually exclusive.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = data.listenHTTP == null || data.dnsProvider == null;
|
||||
message = ''
|
||||
Options `security.acme.certs.${cert}.listenHTTP` and
|
||||
`security.acme.certs.${cert}.dnsProvider` are mutually exclusive.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = data.dnsProvider != null || data.webroot != null || data.listenHTTP != null;
|
||||
message = ''
|
||||
One of `security.acme.certs.${cert}.dnsProvider`,
|
||||
`security.acme.certs.${cert}.webroot`, or
|
||||
`security.acme.certs.${cert}.listenHTTP` must be provided.
|
||||
Exactly one of the options
|
||||
`security.acme.certs.${cert}.dnsProvider`,
|
||||
`security.acme.certs.${cert}.webroot`,
|
||||
`security.acme.certs.${cert}.listenHTTP` and
|
||||
`security.acme.certs.${cert}.s3Bucket`
|
||||
is required.
|
||||
'';
|
||||
}
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user