diff options
| author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2021-12-11 22:06:48 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-12-11 22:06:48 +0100 |
| commit | e675946ecde5606c505540de2024e2732bae4185 (patch) | |
| tree | ecc9d3b375247058f35dc94a92392d1d295ba400 /nixos/modules/security/acme.nix | |
| parent | 57f7f3a87b145c92adf802d8b75b725f5426cb95 (diff) | |
| parent | 6fc18eb4199e4acb6a3b53b9ec49ae56d0782895 (diff) | |
Merge pull request #125256 from deviant/acme-standalone
Diffstat (limited to 'nixos/modules/security/acme.nix')
| -rw-r--r-- | nixos/modules/security/acme.nix | 40 |
1 files changed, 37 insertions, 3 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 12ebc746f520..b50eeddfa40a 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -163,9 +163,8 @@ let [ "--dns" data.dnsProvider ] ++ optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ] ++ optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ] - ) else ( - [ "--http" "--http.webroot" data.webroot ] - ); + ) else if data.listenHTTP != null then [ "--http" "--http.port" data.listenHTTP ] + else [ "--http" "--http.webroot" data.webroot ]; commonOpts = [ "--accept-tos" # Checking the option is covered by the assertions @@ -321,6 +320,8 @@ let } fi ''); + } // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) { + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; # Working directory will be /tmp @@ -454,6 +455,17 @@ let ''; }; + listenHTTP = mkOption { + type = types.nullOr types.str; + default = null; + example = ":1360"; + description = '' + Interface and port to listen on to solve HTTP challenges + in the form [INTERFACE]:PORT. + If you use a port other than 80, you must proxy port 80 to this port. + ''; + }; + server = mkOption { type = types.nullOr types.str; default = null; @@ -783,6 +795,28 @@ in { `security.acme.certs.${cert}.webroot` are mutually exclusive. ''; } + { + assertion = data.webroot == null || data.listenHTTP == null; + message = '' + Options `security.acme.certs.${cert}.webroot` and + `security.acme.certs.${cert}.listenHTTP` are mutually exclusive. + ''; + } + { + assertion = data.listenHTTP == null || data.dnsProvider == null; + message = '' + Options `security.acme.certs.${cert}.listenHTTP` and + `security.acme.certs.${cert}.dnsProvider` are mutually exclusive. + ''; + } + { + assertion = data.dnsProvider != null || data.webroot != null || data.listenHTTP != null; + message = '' + One of `security.acme.certs.${cert}.dnsProvider`, + `security.acme.certs.${cert}.webroot`, or + `security.acme.certs.${cert}.listenHTTP` must be provided. + ''; + } ]) cfg.certs)); users.users.acme = { |