|
|
|
@ -136,6 +136,19 @@ let |
|
|
|
|
challenge to ensure the DNS entries required are available. |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
ocspMustStaple = mkOption { |
|
|
|
|
type = types.bool; |
|
|
|
|
default = false; |
|
|
|
|
description = '' |
|
|
|
|
Turns on the OCSP Must-Staple TLS extension. |
|
|
|
|
Make sure you know what you're doing! See: |
|
|
|
|
<itemizedlist> |
|
|
|
|
<listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem> |
|
|
|
|
<listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem> |
|
|
|
|
</itemizedlist> |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
@ -288,8 +301,11 @@ in |
|
|
|
|
++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains) |
|
|
|
|
++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ]) |
|
|
|
|
++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; |
|
|
|
|
runOpts = escapeShellArgs (globalOpts ++ [ "run" ]); |
|
|
|
|
renewOpts = escapeShellArgs (globalOpts ++ [ "renew" "--days" (toString cfg.validMinDays) ]); |
|
|
|
|
certOpts = optionals data.ocspMustStaple [ "--must-staple" ]; |
|
|
|
|
runOpts = escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts); |
|
|
|
|
renewOpts = escapeShellArgs (globalOpts ++ |
|
|
|
|
[ "renew" "--days" (toString cfg.validMinDays) ] ++ |
|
|
|
|
certOpts); |
|
|
|
|
acmeService = { |
|
|
|
|
description = "Renew ACME Certificate for ${cert}"; |
|
|
|
|
after = [ "network.target" "network-online.target" ]; |
|
|
|
|