Merge pull request #133671 from jlesquembre/caddy

nixos/caddy: update ca option
2021-08-14 08:53:45 -04:00 · 2021-08-14 08:53:45 -04:00 · cf17e439bc
commit cf17e439bc
parent d855d4cccc 679d54dcb3
1 changed files with 29 additions and 19 deletions
--- a/nixos/modules/services/web-servers/caddy.nix
+++ b/nixos/modules/services/web-servers/caddy.nix
@ -8,10 +8,10 @@ let

  tlsConfig = {
    apps.tls.automation.policies = [{
-      issuer = {
+      issuers = [{
        inherit (cfg) ca email;
        module = "acme";
-      };
+      }];
    }];
  };

@ -23,23 +23,28 @@ let

  # merge the TLS config options we expose with the ones originating in the Caddyfile
  configJSON =
-    let tlsConfigMerge = ''
-      {"apps":
-        {"tls":
-          {"automation":
-            {"policies":
-              (if .[0].apps.tls.automation.policies == .[1]?.apps.tls.automation.policies
-               then .[0].apps.tls.automation.policies
-               else (.[0].apps.tls.automation.policies + .[1]?.apps.tls.automation.policies)
-               end)
+    if cfg.ca != null then
+      let tlsConfigMerge = ''
+        {"apps":
+          {"tls":
+            {"automation":
+              {"policies":
+                (if .[0].apps.tls.automation.policies == .[1]?.apps.tls.automation.policies
+                 then .[0].apps.tls.automation.policies
+                 else (.[0].apps.tls.automation.policies + .[1]?.apps.tls.automation.policies)
+                 end)
+              }
            }
          }
-        }
-      }'';
-    in pkgs.runCommand "caddy-config.json" { } ''
-    ${pkgs.jq}/bin/jq -s '.[0] * ${tlsConfigMerge}' ${adaptedConfig} ${tlsJSON} > $out
-  '';
-in {
+        }'';
+      in
+      pkgs.runCommand "caddy-config.json" { } ''
+        ${pkgs.jq}/bin/jq -s '.[0] * ${tlsConfigMerge}' ${adaptedConfig} ${tlsJSON} > $out
+      ''
+    else
+      adaptedConfig;
+in
+{
  imports = [
    (mkRemovedOptionModule [ "services" "caddy" "agree" ] "this option is no longer necessary for Caddy 2")
  ];
@ -88,8 +93,13 @@ in {
    ca = mkOption {
      default = "https://acme-v02.api.letsencrypt.org/directory";
      example = "https://acme-staging-v02.api.letsencrypt.org/directory";
-      type = types.str;
-      description = "Certificate authority ACME server. The default (Let's Encrypt production server) should be fine for most people.";
+      type = types.nullOr types.str;
+      description = ''
+        Certificate authority ACME server. The default (Let's Encrypt
+        production server) should be fine for most people. Set it to null if
+        you don't want to include any authority (or if you want to write a more
+        fine-graned configuration manually)
+      '';
    };

    email = mkOption {