Merge pull request #18366 from groxxda/acme-loop
security.acme: require networking for client, remove loop without fallbackHost
This commit is contained in:
Franz Pletz
GitHub
commit
9190dbcc0e
@ -166,7 +166,8 @@ in
|
||||
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
|
||||
acmeService = {
|
||||
description = "Renew ACME Certificate for ${cert}";
|
||||
after = [ "network.target" ];
|
||||
after = [ "network.target" "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
SuccessExitStatus = [ "0" "1" ];
|
||||
|
||||
@ -114,17 +114,18 @@ let
|
||||
port = if vhost.port != null then vhost.port else (if ssl then 443 else 80);
|
||||
listenString = toString port + optionalString ssl " ssl http2"
|
||||
+ optionalString vhost.default " default";
|
||||
acmeLocation = optionalString vhost.enableACME ''
|
||||
acmeLocation = optionalString vhost.enableACME (''
|
||||
location /.well-known/acme-challenge {
|
||||
try_files $uri @acme-fallback;
|
||||
${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
|
||||
root ${vhost.acmeRoot};
|
||||
auth_basic off;
|
||||
}
|
||||
'' + (optionalString (vhost.acmeFallbackHost != null) ''
|
||||
location @acme-fallback {
|
||||
auth_basic off;
|
||||
proxy_pass http://${vhost.acmeFallbackHost};
|
||||
}
|
||||
'';
|
||||
''));
|
||||
in ''
|
||||
${optionalString vhost.forceSSL ''
|
||||
server {
|
||||
|
||||
@ -39,8 +39,8 @@ with lib;
|
||||
};
|
||||
|
||||
acmeFallbackHost = mkOption {
|
||||
type = types.str;
|
||||
default = "0.0.0.0";
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Host which to proxy requests to if acme challenge is not found. Useful
|
||||
if you want multiple hosts to be able to verify the same domain name.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user