movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-13 21:25:30 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/acme: Clean up default handling

Browse source
This commit is contained in:
Silvan Mosberger 2021-12-09 22:43:54 +01:00 committed by Lucas Savva
parent 41fb8d71ab
commit 2dcc3daadf
No known key found for this signature in database
GPG key ID: E4EC5BF2E2F116A2
1 changed files with 37 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

89
nixos/modules/security/acme.nix
View file

@ -426,23 +426,31 @@ let
certConfigs = mapAttrs certToConfig cfg.certs; certConfigs = mapAttrs certToConfig cfg.certs;
mkDefaultText = val: "Inherit from security.acme.defaults, otherwise ${val}" ;
# These options can be specified within # These options can be specified within
# security.acme or security.acme.certs.<name> # security.acme.defaults or security.acme.certs.<name>
inheritableOpts = inheritableModule = isDefaults: { config, ... }: let
{ inheritDefaults ? false, defaults ? null }: { defaultAndText = name: default: {
# When ! isDefaults then this is the option declaration for the
# security.acme.certs.<name> path, which has the extra inheritDefaults
# option, which if disabled means that we can't inherit it
default = if isDefaults || ! config.inheritDefaults then default else cfg.defaults.${name};
# The docs however don't need to depend on inheritDefaults, they should
# stay constant. Though notably it wouldn't matter much, because to get
# the option information, a submodule with name `<name>` is evaluated
# without any definitions.
defaultText = if isDefaults then default else literalExpression "config.security.acme.defaults.${name}";
};
in {
options = {
validMinDays = mkOption { validMinDays = mkOption {
type = types.int; type = types.int;
default = if inheritDefaults then defaults.validMinDays else 30; inherit (defaultAndText "validMinDays" 30) default defaultText;
defaultText = mkDefaultText "30";
description = "Minimum remaining validity before renewal in days."; description = "Minimum remaining validity before renewal in days.";
}; };
renewInterval = mkOption { renewInterval = mkOption {
type = types.str; type = types.str;
default = if inheritDefaults then defaults.renewInterval else "daily"; inherit (defaultAndText "renewInterval" "daily") default defaultText;
defaultText = mkDefaultText "'daily'";
description = '' description = ''
Systemd calendar expression when to check for renewal. See Systemd calendar expression when to check for renewal. See
<citerefentry><refentrytitle>systemd.time</refentrytitle> <citerefentry><refentrytitle>systemd.time</refentrytitle>
@ -451,13 +459,12 @@ let
}; };
enableDebugLogs = mkEnableOption "debug logging for this certificate" // { enableDebugLogs = mkEnableOption "debug logging for this certificate" // {
default = if inheritDefaults then defaults.enableDebugLogs else true; inherit (defaultAndText "enableDebugLogs" true) default defaultText;
}; };
webroot = mkOption { webroot = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = if inheritDefaults then defaults.webroot else null; inherit (defaultAndText "webroot" null) default defaultText;
defaultText = mkDefaultText "null";
example = "/var/lib/acme/acme-challenge"; example = "/var/lib/acme/acme-challenge";
description = '' description = ''
Where the webroot of the HTTP vhost is located. Where the webroot of the HTTP vhost is located.
@ -470,8 +477,7 @@ let
server = mkOption { server = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = if inheritDefaults then defaults.server else null; inherit (defaultAndText "server" null) default defaultText;
defaultText = mkDefaultText "null";
description = '' description = ''
ACME Directory Resource URI. Defaults to Let's Encrypt's ACME Directory Resource URI. Defaults to Let's Encrypt's
production endpoint, production endpoint,
@ -481,8 +487,7 @@ let
email = mkOption { email = mkOption {
type = types.str; type = types.str;
default = if inheritDefaults then defaults.email else null; inherit (defaultAndText "email" null) default defaultText;
defaultText = mkDefaultText "null";
description = '' description = ''
Email address for account creation and correspondence from the CA. Email address for account creation and correspondence from the CA.
It is recommended to use the same email for all certs to avoid account It is recommended to use the same email for all certs to avoid account
@ -492,15 +497,13 @@ let
group = mkOption { group = mkOption {
type = types.str; type = types.str;
default = if inheritDefaults then defaults.group else "acme"; inherit (defaultAndText "group" "acme") default defaultText;
defaultText = mkDefaultText "'acme'";
description = "Group running the ACME client."; description = "Group running the ACME client.";
}; };
reloadServices = mkOption { reloadServices = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = if inheritDefaults then defaults.reloadServices else []; inherit (defaultAndText "reloadServices" []) default defaultText;
defaultText = mkDefaultText "[]";
description = '' description = ''
The list of systemd services to call <code>systemctl try-reload-or-restart</code> The list of systemd services to call <code>systemctl try-reload-or-restart</code>
on. on.
@ -509,8 +512,7 @@ let
postRun = mkOption { postRun = mkOption {
type = types.lines; type = types.lines;
default = if inheritDefaults then defaults.postRun else ""; inherit (defaultAndText "postRun" "") default defaultText;
defaultText = mkDefaultText "''";
example = "cp full.pem backup.pem"; example = "cp full.pem backup.pem";
description = '' description = ''
Commands to run after new certificates go live. Note that Commands to run after new certificates go live. Note that
@ -522,8 +524,7 @@ let
keyType = mkOption { keyType = mkOption {
type = types.str; type = types.str;
default = if inheritDefaults then defaults.keyType else "ec256"; inherit (defaultAndText "keyType" "ec256") default defaultText;
defaultText = mkDefaultText "'ec256'";
description = '' description = ''
Key type to use for private keys. Key type to use for private keys.
For an up to date list of supported values check the --key-type option For an up to date list of supported values check the --key-type option
@ -533,8 +534,7 @@ let
dnsProvider = mkOption { dnsProvider = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = if inheritDefaults then defaults.dnsProvider else null; inherit (defaultAndText "dnsProvider" null) default defaultText;
defaultText = mkDefaultText "null";
example = "route53"; example = "route53";
description = '' description = ''
DNS Challenge provider. For a list of supported providers, see the "code" DNS Challenge provider. For a list of supported providers, see the "code"
@ -544,8 +544,7 @@ let
dnsResolver = mkOption { dnsResolver = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = if inheritDefaults then defaults.dnsResolver else null; inherit (defaultAndText "dnsResolver" null) default defaultText;
defaultText = mkDefaultText "null";
example = "1.1.1.1:53"; example = "1.1.1.1:53";
description = '' description = ''
Set the resolver to use for performing recursive DNS queries. Supported: Set the resolver to use for performing recursive DNS queries. Supported:
@ -556,8 +555,7 @@ let
credentialsFile = mkOption { credentialsFile = mkOption {
type = types.path; type = types.path;
default = if inheritDefaults then defaults.credentialsFile else null; inherit (defaultAndText "credentialsFile" null) default defaultText;
defaultText = mkDefaultText "null";
description = '' description = ''
Path to an EnvironmentFile for the cert's service containing any required and Path to an EnvironmentFile for the cert's service containing any required and
optional environment variables for your selected dnsProvider. optional environment variables for your selected dnsProvider.
@ -569,8 +567,7 @@ let
dnsPropagationCheck = mkOption { dnsPropagationCheck = mkOption {
type = types.bool; type = types.bool;
default = if inheritDefaults then defaults.dnsPropagationCheck else true; inherit (defaultAndText "dnsPropagationCheck" true) default defaultText;
defaultText = mkDefaultText "true";
description = '' description = ''
Toggles lego DNS propagation check, which is used alongside DNS-01 Toggles lego DNS propagation check, which is used alongside DNS-01
challenge to ensure the DNS entries required are available. challenge to ensure the DNS entries required are available.
@ -579,8 +576,7 @@ let
ocspMustStaple = mkOption { ocspMustStaple = mkOption {
type = types.bool; type = types.bool;
default = if inheritDefaults then defaults.ocspMustStaple else false; inherit (defaultAndText "ocspMustStaple" false) default defaultText;
defaultText = mkDefaultText "false";
description = '' description = ''
Turns on the OCSP Must-Staple TLS extension. Turns on the OCSP Must-Staple TLS extension.
Make sure you know what you're doing! See: Make sure you know what you're doing! See:
@ -593,8 +589,7 @@ let
extraLegoFlags = mkOption { extraLegoFlags = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = if inheritDefaults then defaults.extraLegoFlags else []; inherit (defaultAndText "extraLegoFlags" []) default defaultText;
defaultText = mkDefaultText "[]";
description = '' description = ''
Additional global flags to pass to all lego commands. Additional global flags to pass to all lego commands.
''; '';
@ -602,8 +597,7 @@ let
extraLegoRenewFlags = mkOption { extraLegoRenewFlags = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = if inheritDefaults then defaults.extraLegoRenewFlags else []; inherit (defaultAndText "extraLegoRenewFlags" []) default defaultText;
defaultText = mkDefaultText "[]";
description = '' description = ''
Additional flags to pass to lego renew. Additional flags to pass to lego renew.
''; '';
@ -611,25 +605,16 @@ let
extraLegoRunFlags = mkOption { extraLegoRunFlags = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = if inheritDefaults then defaults.extraLegoRunFlags else []; inherit (defaultAndText "extraLegoRunFlags" []) default defaultText;
defaultText = mkDefaultText "[]";
description = '' description = ''
Additional flags to pass to lego run. Additional flags to pass to lego run.
''; '';
}; };
}; };
};
certOpts = { name, config, ... }: { certOpts = { name, config, ... }: {
options = (inheritableOpts { options = {
inherit (cfg) defaults;
# During doc generation, name = "<name>" and doesn't really
# exist as a cert. As such, handle undfined certs.
inheritDefaults = (lib.attrByPath
[name]
{ inheritDefaults = false; }
cfg.certs
).inheritDefaults;
}) // {
# user option has been removed # user option has been removed
user = mkOption { user = mkOption {
visible = false; visible = false;
@ -737,7 +722,7 @@ in {
}; };
defaults = mkOption { defaults = mkOption {
type = types.submodule { options = inheritableOpts {}; }; type = types.submodule (inheritableModule true);
description = '' description = ''
Default values inheritable by all configured certs. You can Default values inheritable by all configured certs. You can
use this to define options shared by all your certs. These defaults use this to define options shared by all your certs. These defaults
@ -748,7 +733,7 @@ in {
certs = mkOption { certs = mkOption {
default = { }; default = { };
type = with types; attrsOf (submodule certOpts); type = with types; attrsOf (submodule [ (inheritableModule false) certOpts ]);
description = '' description = ''
Attribute set of certificates to get signed and renewed. Creates Attribute set of certificates to get signed and renewed. Creates
<literal>acme-''${cert}.{service,timer}</literal> systemd units for <literal>acme-''${cert}.{service,timer}</literal> systemd units for