movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-27 19:46:40 +03:00
Code Activity
nixpkgs/nixos/modules/services/web-servers/h2o/default.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

554 lines
18 KiB
Nix
Raw Normal View History

nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
{
config,
lib,
pkgs,
...
}:
# TODO: Gems includes for Mruby
let
cfg = config.services.h2o;
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
inherit (config.security.acme) certs;
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
inherit (lib)
literalExpression
mkDefault
mkEnableOption
mkIf
mkOption
types
;
nixos/step-ca: add H2O test
2025-02-21 16:31:48 +07:00
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
inherit (import ./common.nix { inherit lib; }) tlsRecommendationsOption;
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
settingsFormat = pkgs.formats.yaml { };
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
getNames = name: vhostSettings: rec {
server = if vhostSettings.serverName != null then vhostSettings.serverName else name;
cert =
if lib.attrByPath [ "acme" "useHost" ] null vhostSettings == null then
server
else
vhostSettings.acme.useHost;
};
# Attrset with the virtual hosts relevant to ACME configuration
acmeEnabledHostsConfigs = lib.foldlAttrs (
acc: name: value:
if value.acme == null || (!value.acme.enable && value.acme.useHost == null) then
acc
else
let
names = getNames name value;
virtualHostConfig = value // {
serverName = names.server;
certName = names.cert;
};
in
acc ++ [ virtualHostConfig ]
) [ ] cfg.hosts;
# Attrset with the ACME certificate names split by whether or not they depend
# on H2O serving challenges.
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
acmeCertNames =
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
let
partition =
acc: vhostSettings:
let
inherit (vhostSettings) certName;
isDependent = certs.${certName}.dnsProvider == null;
in
if isDependent && !(builtins.elem certName acc.dependent) then
acc // { dependent = acc.dependent ++ [ certName ]; }
else if !isDependent && !(builtins.elem certName acc.independent) then
acc // { independent = acc.independent ++ [ certName ]; }
else
acc;
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
certNames = lib.lists.foldl partition {
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
dependent = [ ];
independent = [ ];
} acmeEnabledHostsConfigs;
in
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
certNames
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
// {
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
all = certNames.dependent ++ certNames.independent;
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
};
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
mozTLSRecs =
if cfg.defaultTLSRecommendations != null then
let
# NOTE: if updating, *do* verify the changes then adjust ciphers &
# other settings with the tests @
# `nixos/tests/web-servers/h2o/tls-recommendations.nix`
# & run with `nix-build -A nixosTests.h2o.tls-recommendations`
version = "5.7";
git_tag = "v5.7.1";
guidelinesJSON =
lib.pipe
{
urls = [
"https://ssl-config.mozilla.org/guidelines/${version}.json"
"https://raw.githubusercontent.com/mozilla/ssl-config-generator/refs/tags/${git_tag}/src/static/guidelines/${version}.json"
];
sha256 = "sha256:1mj2pcb1hg7q2wpgdq3ac8pc2q64wvwvwlkb9xjmdd9jm4hiyny7";
}
[
pkgs.fetchurl
builtins.readFile
builtins.fromJSON
];
in
guidelinesJSON.configurations
else
null;
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
hostsConfig = lib.concatMapAttrs (
name: value:
let
port = {
HTTP = lib.attrByPath [ "http" "port" ] cfg.defaultHTTPListenPort value;
TLS = lib.attrByPath [ "tls" "port" ] cfg.defaultTLSListenPort value;
};
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
names = getNames name value;
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
acmeSettings = lib.optionalAttrs (builtins.elem names.cert acmeCertNames.dependent) (
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
let
acmePort = 80;
acmeChallengePath = "/.well-known/acme-challenge";
in
{
"${names.server}:${builtins.toString acmePort}" = {
listen.port = acmePort;
paths."${acmeChallengePath}/" = {
"file.dir" = value.acme.root + acmeChallengePath;
};
};
}
);
httpSettings =
lib.optionalAttrs (value.tls == null || value.tls.policy == "add") {
"${names.server}:${builtins.toString port.HTTP}" = value.settings // {
listen.port = port.HTTP;
};
}
// lib.optionalAttrs (value.tls != null && value.tls.policy == "force") {
"${names.server}:${builtins.toString port.HTTP}" = {
listen.port = port.HTTP;
paths."/" = {
redirect = {
status = value.tls.redirectCode;
url = "https://${names.server}:${builtins.toString port.TLS}";
};
};
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
};
};
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
tlsSettings =
lib.optionalAttrs
(
value.tls != null
&& builtins.elem value.tls.policy [
"add"
"only"
"force"
]
)
{
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
"${names.server}:${builtins.toString port.TLS}" =
let
tlsRecommendations = lib.attrByPath [ "tls" "recommendations" ] cfg.defaultTLSRecommendations value;
hasTLSRecommendations = tlsRecommendations != null && mozTLSRecs != null;
nixos/h2o: disable OCSP stapling w/ Let’s Encrypt (support sunset) It was noted in the TLS recommendations comment, but it actually should be disabled everywhere if ACME is used as H2O has in enabled by default. More info: <https://letsencrypt.org/2024/12/05/ending-ocsp/>
2025-03-27 22:54:59 +07:00
# ATTENTION: Lets Encrypt has sunset OCSP stapling.
tlsRecAttrs =
# If using ACME, this module will disable H2Os default OCSP
# stapling.
#
# See: https://letsencrypt.org/2024/12/05/ending-ocsp/
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
lib.optionalAttrs (builtins.elem names.cert acmeCertNames.all) {
nixos/h2o: disable OCSP stapling w/ Let’s Encrypt (support sunset) It was noted in the TLS recommendations comment, but it actually should be disabled everywhere if ACME is used as H2O has in enabled by default. More info: <https://letsencrypt.org/2024/12/05/ending-ocsp/>
2025-03-27 22:54:59 +07:00
ocsp-update-interval = 0;
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
}
nixos/h2o: disable OCSP stapling w/ Let’s Encrypt (support sunset) It was noted in the TLS recommendations comment, but it actually should be disabled everywhere if ACME is used as H2O has in enabled by default. More info: <https://letsencrypt.org/2024/12/05/ending-ocsp/>
2025-03-27 22:54:59 +07:00
# Mozillas ssl-config-generator is at present still
# recommending this setting as well, but this module will
# skip setting a stapling value as Lets Encrypt + ACME is
# the most likely use case.
#
# See: https://github.com/mozilla/ssl-config-generator/issues/323
// lib.optionalAttrs hasTLSRecommendations (
let
recs = mozTLSRecs.${tlsRecommendations};
in
{
min-version = builtins.head recs.tls_versions;
cipher-preference = "server";
"cipher-suite-tls1.3" = recs.ciphersuites;
}
// lib.optionalAttrs (recs.ciphers.openssl != [ ]) {
cipher-suite = lib.concatStringsSep ":" recs.ciphers.openssl;
}
);
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
headerRecAttrs =
lib.optionalAttrs
(
hasTLSRecommendations
&& value.tls != null
&& builtins.elem value.tls.policy [
"force"
"only"
]
)
(
let
headerSet = value.settings."header.set" or [ ];
recs = mozTLSRecs.${tlsRecommendations};
hsts = "Strict-Transport-Security: max-age=${builtins.toString recs.hsts_min_age}; includeSubDomains; preload";
in
{
"header.set" =
if builtins.isString headerSet then
[
headerSet
hsts
]
else
headerSet ++ [ hsts ];
}
);
nixos/h2o: enable HTTP/3 via QUIC
2025-03-27 18:57:52 +07:00
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
listen =
let
identity =
value.tls.identity
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
++ lib.optional (builtins.elem names.cert acmeCertNames.all) {
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
key-file = "${certs.${names.cert}.directory}/key.pem";
certificate-file = "${certs.${names.cert}.directory}/fullchain.pem";
};
nixos/h2o: enable HTTP/3 via QUIC
2025-03-27 18:57:52 +07:00
baseListen =
{
port = port.TLS;
ssl = (lib.recursiveUpdate tlsRecAttrs value.tls.extraSettings) // {
inherit identity;
};
}
// lib.optionalAttrs (value.host != null) {
host = value.host;
};
# QUIC, if used, will duplicate the TLS over TCP directive, but
# append some extra QUIC-related settings
quicListen = lib.optional (value.tls.quic != null) (baseListen // { inherit (value.tls) quic; });
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
in
{
nixos/h2o: enable HTTP/3 via QUIC
2025-03-27 18:57:52 +07:00
listen = [ baseListen ] ++ quicListen;
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
};
nixos/h2o: enable HTTP/3 via QUIC
2025-03-27 18:57:52 +07:00
in
value.settings // headerRecAttrs // listen;
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
};
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
in
# With a high likelihood of HTTP & ACME challenges being on the same port,
# 80, do a recursive update to merge the 2 settings together
(lib.recursiveUpdate acmeSettings httpSettings) // tlsSettings
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
) cfg.hosts;
h2oConfig = settingsFormat.generate "h2o.yaml" (
lib.recursiveUpdate { hosts = hostsConfig; } cfg.settings
);
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
# Executing H2O with our generated configuration; `mode` added as needed
h2oExe = ''${lib.getExe cfg.package} ${
lib.strings.escapeShellArgs [
"--conf"
"${h2oConfig}"
]
}'';
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
in
{
options = {
services.h2o = {
enable = mkEnableOption "H2O web server";
user = mkOption {
type = types.nonEmptyStr;
default = "h2o";
description = "User running H2O service";
};
group = mkOption {
type = types.nonEmptyStr;
default = "h2o";
description = "Group running H2O services";
};
package = lib.mkPackageOption pkgs "h2o" {
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
example = # nix
''
pkgs.h2o.override {
withMruby = false;
openssl = pkgs.openssl_legacy;
}
'';
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
};
defaultHTTPListenPort = mkOption {
type = types.port;
default = 80;
description = ''
If hosts do not specify listen.port, use these ports for HTTP by default.
'';
example = 8080;
};
defaultTLSListenPort = mkOption {
type = types.port;
default = 443;
description = ''
If hosts do not specify listen.port, use these ports for SSL by default.
'';
example = 8443;
};
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
defaultTLSRecommendations = tlsRecommendationsOption;
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
settings = mkOption {
type = settingsFormat.type;
nixos/h2o: use { } for settings default
2025-02-20 15:29:15 +07:00
default = { };
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
description = "Configuration for H2O (see <https://h2o.examp1e.net/configure.html>)";
nixos/h2o: provide a settings example
2025-02-27 12:50:34 +07:00
example =
literalExpression
# nix
''
{
compress = "ON";
ssl-offload = "kernel";
http2-reprioritize-blocking-assets = "ON";
"file.mime.addtypes" = {
"text/x-rst" = {
extensions = [ ".rst" ];
is_compressible = "YES";
};
};
}
'';
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
};
hosts = mkOption {
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project
2025-02-23 17:35:25 +07:00
type = types.attrsOf (types.submodule (import ./vhost-options.nix { inherit config lib; }));
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
default = { };
description = ''
The `hosts` config to be merged with the settings.
Note that unlike YAML used for H2O, Nix will not support duplicate
keys to, for instance, have multiple listens in a host block; use the
virtual host options in like `http` & `tls` or use `$HOST:$PORT`
keys if manually specifying config.
'';
example =
literalExpression
# nix
''
{
"hydra.example.com" = {
tls = {
policy = "force";
nixos/h2o: typo
2025-03-11 18:35:53 +07:00
identity = [
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
{
key-file = "/path/to/key";
certificate-file = "/path/to/cert";
};
];
extraSettings = {
minimum-version = "TLSv1.3";
};
};
settings = {
paths."/" = {
"file:dir" = "/var/www/default";
};
};
};
}
'';
};
};
};
config = mkIf cfg.enable {
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
assertions =
[
{
assertion =
!(builtins.hasAttr "hosts" h2oConfig)
|| builtins.all (
host:
let
hasKeyPlusCert = attrs: (attrs.key-file or "") != "" && (attrs.certificate-file or "") != "";
in
# TLS not used
(lib.attrByPath [ "listen" "ssl" ] null host == null)
# TLS identity property
|| (
builtins.hasAttr "identity" host
&& builtins.length host.identity > 0
&& builtins.all hasKeyPlusCert host.listen.ssl.identity
)
# TLS short-hand (was manually specified)
|| (hasKeyPlusCert host.listen.ssl)
) (lib.attrValues h2oConfig.hosts);
message = ''
TLS support will require at least one non-empty certificate & key
file. Use services.h2o.hosts.<name>.acme.enable,
services.h2o.hosts.<name>.acme.useHost,
services.h2o.hosts.<name>.tls.identity, or
services.h2o.hosts.<name>.tls.extraSettings.
'';
}
]
++ builtins.map (
name:
mkCertOwnershipAssertion {
cert = certs.${name};
groups = config.users.groups;
services = [
config.systemd.services.h2o
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
] ++ lib.optional (acmeCertNames.all != [ ]) config.systemd.services.h2o-config-reload;
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
}
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
) acmeCertNames.all;
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
users = {
users.${cfg.user} =
{
group = cfg.group;
}
// lib.optionalAttrs (cfg.user == "h2o") {
isSystemUser = true;
};
groups.${cfg.group} = { };
};
systemd.services.h2o = {
nixos/h2o: service name matches project
2025-02-22 09:51:45 +07:00
description = "H2O HTTP server";
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
wantedBy = [ "multi-user.target" ];
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
wants = lib.concatLists (map (certName: [ "acme-finished-${certName}.target" ]) acmeCertNames.all);
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
# Since H2O will be hosting the challenges, H2O must be started
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
before = builtins.map (certName: "acme-${certName}.service") acmeCertNames.dependent;
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
after =
[ "network.target" ]
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
++ builtins.map (certName: "acme-selfsigned-${certName}.service") acmeCertNames.all
++ builtins.map (certName: "acme-${certName}.service") acmeCertNames.independent; # avoid loading self-signed key w/ real cert, or vice-versa
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
serviceConfig = {
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
ExecStart = "${h2oExe} --mode 'master'";
ExecReload = [
"${h2oExe} --mode 'test'"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
ExecStop = "${pkgs.coreutils}/bin/kill -s QUIT $MAINPID";
User = cfg.user;
nixos/h2o: add missing Group to systemd
2025-02-21 19:53:46 +07:00
Group = cfg.group;
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
Restart = "always";
RestartSec = "10s";
RuntimeDirectory = "h2o";
RuntimeDirectoryMode = "0750";
CacheDirectory = "h2o";
CacheDirectoryMode = "0750";
LogsDirectory = "h2o";
LogsDirectoryMode = "0750";
ProtectSystem = "strict";
ProtectHome = mkDefault true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilitiesBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
preStart = "${h2oExe} --mode 'test'";
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
};
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
# This service waits for all certificates to be available before reloading
# H2O configuration. `tlsTargets` are added to `wantedBy` + `before` which
# allows the `acme-finished-$cert.target` to signify the successful updating
# of certs end-to-end.
systemd.services.h2o-config-reload =
let
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
tlsTargets = map (certName: "acme-${certName}.target") acmeCertNames.all;
tlsServices = map (certName: "acme-${certName}.service") acmeCertNames.all;
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
in
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
mkIf (acmeCertNames.all != [ ]) {
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
wantedBy = tlsServices ++ [ "multi-user.target" ];
before = tlsTargets;
after = tlsServices;
unitConfig = {
nixos/h2o: rename certNames → acmeCertNames We are in agreement ðis improves the naming clarity
2025-03-28 22:25:08 +07:00
ConditionPathExists = map (
certName: "${certs.${certName}.directory}/fullchain.pem"
) acmeCertNames.all;
nixos/h2o: basic ACME support
2025-02-23 09:46:16 +07:00
# Disable rate limiting for this since it may be triggered quickly
# a bunch of times if a lot of certificates are renewed in quick
# succession. The reload itself is cheap, so even doing a lot of them
# in a short burst is fine.
#
# FIXME: like Nginxs FIXME, theres probably a better way to do
# this.
StartLimitIntervalSec = 0;
};
serviceConfig = {
Type = "oneshot";
TimeoutSec = 60;
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active h2o.service";
ExecStart = "/run/current-system/systemd/bin/systemctl reload h2o.service";
};
};
security.acme.certs =
let
mkCerts =
acc: vhostSettings:
if vhostSettings.acme.useHost == null then
let
hasRoot = vhostSettings.acme.root != null;
in
acc
// {
"${vhostSettings.serverName}" = {
group = mkDefault cfg.group;
# If `acme.root` is `null`, inherit `config.security.acme`.
# Since `config.security.acme.certs.<cert>.webroot`s own
# default value should take precedence set priority higher than
# mkOptionDefault
webroot = lib.mkOverride (if hasRoot then 1000 else 2000) vhostSettings.acme.root;
# Also nudge dnsProvider to null in case it is inherited
dnsProvider = lib.mkOverride (if hasRoot then 1000 else 2000) null;
extraDomainNames = vhostSettings.serverAliases;
};
}
else
acc;
in
lib.lists.foldl mkCerts { } acmeEnabledHostsConfigs;
};
nixos/h2o: init module Co-Authored-By: adisbladis <adis@blad.is>
2025-02-12 12:42:02 +07:00
}
Copy permalink