nixos/nginx: allow using existing ACME certificate #33900
Conversation
When a domain has a lot of subdomains, it is quite easy to hit the rate limit: https://letsencrypt.org/docs/rate-limits/ Instead you can define the certificate manually in `security.acme.certs` and list the subdomains in the `extraDomains` option.
| @@ -194,7 +197,7 @@ let | |||
| ${concatMapStringsSep "\n" listenString redirectListen} | |||
|
|
|||
| server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; | |||
| ${optionalString vhost.enableACME acmeLocation} | |||
| ${acmeLocation} | |||
There was a problem hiding this comment.
While it probably doesn't hurt having that there shouldn't it depend on (vhost.enableACME || vhost.useACMEHost != null) like the other parts?
There was a problem hiding this comment.
I do not understand what you mean. Unless (vhost.enableACME || vhost.useACMEHost != null) is true, the variable will contain an empty string. I chose to move the condition back to acmeLocation definition in order to reduce duplication.
There was a problem hiding this comment.
Yes, you are right. I see that now.
|
cc @fpletz |
|
Okayed by globin on IRC. |
| @@ -174,7 +177,7 @@ let | |||
|
|
|||
| redirectListen = filter (x: !x.ssl) defaultListen; | |||
|
|
|||
| acmeLocation = '' | |||
| acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) '' | |||
There was a problem hiding this comment.
What's the purpose of acmeLocation when useACMEHost != null?
There was a problem hiding this comment.
Hmm, I actually have no idea if it is needed. I probably just kept it in case Let’s Encrypt runs the challenge on all subdomains in the certificate.
There was a problem hiding this comment.
Necessary to allow challenges to be reachable for HTTP-01, not necessary when using security.acme.certs.<cert>.dnsProvider. See #245737
Motivation for this change
When a domain has a lot of subdomains, it is quite easy to hit the rate limit. Instead you can define the certificate manually in
security.acme.certsand list the subdomains in theextraDomainsoption.Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)