commit 0f21306ca3af2bc94a452ac8c414cdbe36703be2 · pyrox.dev/nixpkgs

+15 -4

nixos/modules/services/web-servers/nginx/default.nix

···

       15
        
           } // (optionalAttrs vhostConfig.enableACME {

     

       16
        
             sslCertificate = "/var/lib/acme/${serverName}/fullchain.pem";

     

       17
        
             sslCertificateKey = "/var/lib/acme/${serverName}/key.pem";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
           })

     

       19
        
         ) cfg.virtualHosts;

     

       20
        
         enableIPv6 = config.networking.enableIPv6;

     
···

       174
        
       

     

       175
        
               redirectListen = filter (x: !x.ssl) defaultListen;

     

       176
        
       

     

       177
       -
               acmeLocation = ''

     

       178
        
                 location /.well-known/acme-challenge {

     

       179
        
                   ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}

     

       180
        
                   root ${vhost.acmeRoot};

     
···

       194
        
                   ${concatMapStringsSep "\n" listenString redirectListen}

     

       195
        
       

     

       196
        
                   server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};

     

       197
       -
                   ${optionalString vhost.enableACME acmeLocation}

     

       198
        
                   location / {

     

       199
        
                     return 301 https://$host$request_uri;

     

       200
        
                   }

     
···

       204
        
               server {

     

       205
        
                 ${concatMapStringsSep "\n" listenString hostListen}

     

       206
        
                 server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};

     

       207
       -
                 ${optionalString vhost.enableACME acmeLocation}

     

       208
        
                 ${optionalString (vhost.root != null) "root ${vhost.root};"}

     

       209
        
                 ${optionalString (vhost.globalRedirect != null) ''

     

       210
        
                   return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;

     
···

       555
        
                 are mutually exclusive.

     

       556
        
               '';

     

       557
        
             }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       558
        
           ];

     

       559
        
       

     

       560
        
           systemd.services.nginx = {

     
···

       580
        
           security.acme.certs = filterAttrs (n: v: v != {}) (

     

       581
        
             let

     

       582
        
               vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;

     

       583
       -
               acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME) vhostsConfigs;

     

       584
        
               acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = {

     

       585
        
                   user = cfg.user;

     

       586
        
                   group = lib.mkDefault cfg.group;

···

       15
        
           } // (optionalAttrs vhostConfig.enableACME {

     

       16
        
             sslCertificate = "/var/lib/acme/${serverName}/fullchain.pem";

     

       17
        
             sslCertificateKey = "/var/lib/acme/${serverName}/key.pem";

     

       18
       +
           }) // (optionalAttrs (vhostConfig.useACMEHost != null) {

     

       19
       +
             sslCertificate = "/var/lib/acme/${vhostConfig.useACMEHost}/fullchain.pem";

     

       20
       +
             sslCertificateKey = "/var/lib/acme/${vhostConfig.useACMEHost}/key.pem";

     

       21
        
           })

     

       22
        
         ) cfg.virtualHosts;

     

       23
        
         enableIPv6 = config.networking.enableIPv6;

     
···

       177
        
       

     

       178
        
               redirectListen = filter (x: !x.ssl) defaultListen;

     

       179
        
       

     

       180
       +
               acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) ''

     

       181
        
                 location /.well-known/acme-challenge {

     

       182
        
                   ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}

     

       183
        
                   root ${vhost.acmeRoot};

     
···

       197
        
                   ${concatMapStringsSep "\n" listenString redirectListen}

     

       198
        
       

     

       199
        
                   server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};

     

       200
       +
                   ${acmeLocation}

     

       201
        
                   location / {

     

       202
        
                     return 301 https://$host$request_uri;

     

       203
        
                   }

     
···

       207
        
               server {

     

       208
        
                 ${concatMapStringsSep "\n" listenString hostListen}

     

       209
        
                 server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};

     

       210
       +
                 ${acmeLocation}

     

       211
        
                 ${optionalString (vhost.root != null) "root ${vhost.root};"}

     

       212
        
                 ${optionalString (vhost.globalRedirect != null) ''

     

       213
        
                   return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;

     
···

       558
        
                 are mutually exclusive.

     

       559
        
               '';

     

       560
        
             }

     

       561
       +
       

     

       562
       +
             {

     

       563
       +
               assertion = all (conf: !(conf.enableACME && conf.useACMEHost != null)) (attrValues virtualHosts);

     

       564
       +
               message = ''

     

       565
       +
                 Options services.nginx.service.virtualHosts.<name>.enableACME and

     

       566
       +
                 services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive.

     

       567
       +
               '';

     

       568
       +
             }

     

       569
        
           ];

     

       570
        
       

     

       571
        
           systemd.services.nginx = {

     
···

       591
        
           security.acme.certs = filterAttrs (n: v: v != {}) (

     

       592
        
             let

     

       593
        
               vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;

     

       594
       +
               acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs;

     

       595
        
               acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = {

     

       596
        
                   user = cfg.user;

     

       597
        
                   group = lib.mkDefault cfg.group;

+15 -1

nixos/modules/services/web-servers/nginx/vhost-options.nix

···

       48
        
           enableACME = mkOption {

     

       49
        
             type = types.bool;

     

       50
        
             default = false;

     

       51
       -
             description = "Whether to ask Let's Encrypt to sign a certificate for this vhost.";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       52
        
           };

     

       53
        
       

     

       54
        
           acmeRoot = mkOption {

···

       48
        
           enableACME = mkOption {

     

       49
        
             type = types.bool;

     

       50
        
             default = false;

     

       51
       +
             description = ''

     

       52
       +
               Whether to ask Let's Encrypt to sign a certificate for this vhost.

     

       53
       +
               Alternately, you can use an existing certificate through <option>useACMEHost</option>.

     

       54
       +
             '';

     

       55
       +
           };

     

       56
       +
       

     

       57
       +
           useACMEHost = mkOption {

     

       58
       +
             type = types.nullOr types.str;

     

       59
       +
             default = null;

     

       60
       +
             description = ''

     

       61
       +
               A host of an existing Let's Encrypt certificate to use.

     

       62
       +
               This is useful if you have many subdomains and want to avoid hitting the

     

       63
       +
               <link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>.

     

       64
       +
               Alternately, you can generate a certificate through <option>enableACME</option>.

     

       65
       +
             '';

     

       66
        
           };

     

       67
        
       

     

       68
        
           acmeRoot = mkOption {