···
# Attrset with the ACME certificate names split by whether or not they depend
# on H2O serving challenges.
···
70
-
certNames' = lib.lists.foldl partition {
70
+
certNames = lib.lists.foldl partition {
} acmeEnabledHostsConfigs;
77
-
all = certNames'.dependent ++ certNames'.independent;
77
+
all = certNames.dependent ++ certNames.independent;
···
names = getNames name value;
118
-
acmeSettings = lib.optionalAttrs (builtins.elem names.cert certNames.dependent) (
118
+
acmeSettings = lib.optionalAttrs (builtins.elem names.cert acmeCertNames.dependent) (
acmeChallengePath = "/.well-known/acme-challenge";
···
hasTLSRecommendations = tlsRecommendations != null && mozTLSRecs != null;
168
-
# NOTE: Let’s Encrypt has sunset OCSP stapling. Mozilla’s
169
-
# ssl-config-generator is at present still recommending this setting, but
170
-
# this module will skip setting a stapling value as Let’s Encrypt +
171
-
# ACME is the most likely use case.
173
-
# See: https://github.com/mozilla/ssl-config-generator/issues/323
174
-
tlsRecAttrs = lib.optionalAttrs hasTLSRecommendations (
176
-
recs = mozTLSRecs.${tlsRecommendations};
179
-
min-version = builtins.head recs.tls_versions;
180
-
cipher-preference = "server";
181
-
"cipher-suite-tls1.3" = recs.ciphersuites;
168
+
# ATTENTION: Let’s Encrypt has sunset OCSP stapling.
170
+
# If using ACME, this module will disable H2O’s default OCSP
173
+
# See: https://letsencrypt.org/2024/12/05/ending-ocsp/
174
+
lib.optionalAttrs (builtins.elem names.cert acmeCertNames.all) {
175
+
ocsp-update-interval = 0;
183
-
// lib.optionalAttrs (recs.ciphers.openssl != [ ]) {
184
-
cipher-suite = lib.concatStringsSep ":" recs.ciphers.openssl;
177
+
# Mozilla’s ssl-config-generator is at present still
178
+
# recommending this setting as well, but this module will
179
+
# skip setting a stapling value as Let’s Encrypt + ACME is
180
+
# the most likely use case.
182
+
# See: https://github.com/mozilla/ssl-config-generator/issues/323
183
+
// lib.optionalAttrs hasTLSRecommendations (
185
+
recs = mozTLSRecs.${tlsRecommendations};
188
+
min-version = builtins.head recs.tls_versions;
189
+
cipher-preference = "server";
190
+
"cipher-suite-tls1.3" = recs.ciphersuites;
192
+
// lib.optionalAttrs (recs.ciphers.openssl != [ ]) {
193
+
cipher-suite = lib.concatStringsSep ":" recs.ciphers.openssl;
···
223
-
++ lib.optional (builtins.elem names.cert certNames.all) {
232
+
++ lib.optional (builtins.elem names.cert acmeCertNames.all) {
key-file = "${certs.${names.cert}.directory}/key.pem";
certificate-file = "${certs.${names.cert}.directory}/fullchain.pem";
···
groups = config.users.groups;
config.systemd.services.h2o
405
-
] ++ lib.optional (certNames.all != [ ]) config.systemd.services.h2o-config-reload;
414
+
] ++ lib.optional (acmeCertNames.all != [ ]) config.systemd.services.h2o-config-reload;
416
+
) acmeCertNames.all;
···
description = "H2O HTTP server";
wantedBy = [ "multi-user.target" ];
423
-
wants = lib.concatLists (map (certName: [ "acme-finished-${certName}.target" ]) certNames.all);
432
+
wants = lib.concatLists (map (certName: [ "acme-finished-${certName}.target" ]) acmeCertNames.all);
# Since H2O will be hosting the challenges, H2O must be started
425
-
before = builtins.map (certName: "acme-${certName}.service") certNames.dependent;
434
+
before = builtins.map (certName: "acme-${certName}.service") acmeCertNames.dependent;
428
-
++ builtins.map (certName: "acme-selfsigned-${certName}.service") certNames.all
429
-
++ builtins.map (certName: "acme-${certName}.service") certNames.independent; # avoid loading self-signed key w/ real cert, or vice-versa
437
+
++ builtins.map (certName: "acme-selfsigned-${certName}.service") acmeCertNames.all
438
+
++ builtins.map (certName: "acme-${certName}.service") acmeCertNames.independent; # avoid loading self-signed key w/ real cert, or vice-versa
ExecStart = "${h2oExe} --mode 'master'";
···
systemd.services.h2o-config-reload =
482
-
tlsTargets = map (certName: "acme-${certName}.target") certNames.all;
483
-
tlsServices = map (certName: "acme-${certName}.service") certNames.all;
491
+
tlsTargets = map (certName: "acme-${certName}.target") acmeCertNames.all;
492
+
tlsServices = map (certName: "acme-${certName}.service") acmeCertNames.all;
485
-
mkIf (certNames.all != [ ]) {
494
+
mkIf (acmeCertNames.all != [ ]) {
wantedBy = tlsServices ++ [ "multi-user.target" ];
490
-
ConditionPathExists = map (certName: "${certs.${certName}.directory}/fullchain.pem") certNames.all;
499
+
ConditionPathExists = map (
500
+
certName: "${certs.${certName}.directory}/fullchain.pem"
501
+
) acmeCertNames.all;
# Disable rate limiting for this since it may be triggered quickly
# a bunch of times if a lot of certificates are renewed in quick
# succession. The reload itself is cheap, so even doing a lot of them
pyrox.dev