New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nginx: use the directory given in the ACME configuration #29556
Conversation
Note that this is similar to the |
d9ebaf9
to
ba61c7d
Compare
cc @globin (last person to commit to this file) - thoughts? |
@@ -13,8 +13,8 @@ let | |||
vhostConfig // { | |||
inherit serverName; | |||
} // (optionalAttrs vhostConfig.enableACME { | |||
sslCertificate = "/var/lib/acme/${serverName}/fullchain.pem"; | |||
sslCertificateKey = "/var/lib/acme/${serverName}/key.pem"; | |||
sslCertificate = "${cfg.acmeDir}/${serverName}/fullchain.pem"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't tested this, but I think you should be able to use config.security.acme.directory
directly here instead of making an nginx-specific wrapper option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it appears that this does work - just pushed a commit to use that instead. Thanks for the suggestion! 😀
ba61c7d
to
8ae30a5
Compare
This commit changes the default `/var/lib/acme` directory to instead be the directory that was specified in the acme config: `config.security.acme.directory`. This doesn't change anything by default, since the default value of that option is the same. This is useful in cases where we'd like to store the ACME certificates and keys in a more centralized location; for example, on a mounted EBS volume in Amazon, or to centralize secrets in a centralized directory for monitoring purposes.
8ae30a5
to
f01380b
Compare
@aneeshusa - Thanks for the review! Just rebased & force-pushed, and the build is now passing. |
This LGTM, but I don't have merge rights. |
Motivation for this change
This is useful in cases where we'd like to store the ACME certificates
and keys in a more centralized location; for example, on a mounted EBS
volume in Amazon, or to centralize secrets in a centralized directory
for monitoring purposes.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)