nixos/modules/security/acme.nix: add server option

Add a new option permitting to point certbot to an ACME Directory Resource URI other than Let's Encrypt production/staging one. In the meantime, we are deprecating the now useless Let's Encrypt production flag.
5 years ago · 5671fa2396
parent 91a714000a
commit 5671fa2396
1 changed files with 30 additions and 16 deletions
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -20,6 +20,16 @@ let
        '';
      };

+      server = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          ACME Directory Resource URI. Defaults to let's encrypt
+          production endpoint,
+          https://acme-v02.api.letsencrypt.org/directory, if unset.
+        '';
+      };
+
      domain = mkOption {
        type = types.str;
        default = name;
@ -109,7 +119,15 @@ in
 {

  ###### interface
-
+  imports = [
+    (mkRemovedOptionModule [ "security" "acme" "production" ] ''
+      Use security.acme.server to define your staging ACME server URL instead.
+
+      To use the let's encrypt staging server, use security.acme.server =
+      "https://acme-staging-v02.api.letsencrypt.org/directory".
+    ''
+    )
+  ];
  options = {
    security.acme = {

@ -129,6 +147,16 @@ in
        '';
      };

+      server = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          ACME Directory Resource URI. Defaults to let's encrypt
+          production endpoint,
+          <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset.
+        '';
+      };
+
      preliminarySelfsigned = mkOption {
        type = types.bool;
        default = true;
@ -142,20 +170,6 @@ in
        '';
      };

-      production = mkOption {
-        type = types.bool;
-        default = true;
-        description = ''
-          If set to true, use Let's Encrypt's production environment
-          instead of the staging environment. The main benefit of the
-          staging environment is to get much higher rate limits.
-
-          See
-          <literal>https://letsencrypt.org/docs/staging-environment</literal>
-          for more detail.
-        '';
-      };
-
      certs = mkOption {
        default = { };
        type = with types; attrsOf (submodule certOpts);
@ -198,7 +212,7 @@ in
                          ++ optionals (data.email != null) [ "--email" data.email ]
                          ++ concatMap (p: [ "-f" p ]) data.plugins
                          ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)
-                          ++ optionals (!cfg.production) ["--server" "https://acme-staging-v02.api.letsencrypt.org/directory"];
+                          ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
                acmeService = {
                  description = "Renew ACME Certificate for ${cert}";
                  after = [ "network.target" "network-online.target" ];