From d6e8934f38e194dae97044454c49958b342f4481 Mon Sep 17 00:00:00 2001 From: Kerstin Humm Date: Tue, 16 Apr 2024 23:40:11 +0200 Subject: [PATCH] nixos/nginx: allow for resolving IPv6 addresses only --- .../services/web-servers/nginx/default.nix | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 3d1a00ccde7c..40470f535bf6 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -164,7 +164,7 @@ let ${commonHttpConfig} ${optionalString (cfg.resolver.addresses != []) '' - resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"} ${optionalString (!cfg.resolver.ipv6) "ipv6=off"}; + resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"} ${optionalString (!cfg.resolver.ipv4) "ipv4=off"} ${optionalString (!cfg.resolver.ipv6) "ipv6=off"}; ''} ${upstreamConfig} @@ -978,6 +978,15 @@ in An optional valid parameter allows overriding it ''; }; + ipv4 = mkOption { + type = types.bool; + default = true; + description = '' + By default, nginx will look up both IPv4 and IPv6 addresses while resolving. + If looking up of IPv4 addresses is not desired, the ipv4=off parameter can be + specified. + ''; + }; ipv6 = mkOption { type = types.bool; default = true; @@ -1179,6 +1188,13 @@ in to answer to ACME requests. ''; } + + { + assertion = cfg.resolver.ipv4 || cfg.resolver.ipv6; + message = '' + At least one of services.nginx.resolver.ipv4 and services.nginx.resolver.ipv6 must be true. + ''; + } ] ++ map (name: mkCertOwnershipAssertion { inherit (cfg) group user; cert = config.security.acme.certs.${name};