Merge pull request #317257 from arianvp/stephank-fix-acme2

nixos/acme: allow setting security.acme.defaults.server = null to keep old accounts directory

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -429,6 +429,16 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - `screen`'s module has been cleaned, and will now require you to set `programs.screen.enable` in order to populate `screenrc` and add the program to the environment.
 
+- `security.acme.defaults.server` now has a default value instead of `null`.
+  This effectively uses the same server, the Let's Encrypt production server,
+  but makes the default explicit, instead of relying on the Lego default.
+
+  A side effect of this is that the directory in which account data is stored
+  changes and the ACME module will request a new account and new certificates
+  for all domains.  This may cause issues if you pin an `acccounturl` in a CAA
+  DNS record.  To avoid this, you
+  may set `security.acme.defaults.server = null` to keep the old hashes.
+
 - `security.pam.sshAgentAuth.enable` now requires `services.openssh.authorizedKeysFiles` to be non-empty,
   which is the case when `services.openssh.enable` is true. Previously, `pam_ssh_agent_auth` silently failed to work.
 

nixos/modules/security/acme/default.nix

@@ -545,7 +545,7 @@ let
       };
 
       server = mkOption {
-        type = types.str;
+        type = types.nullOr types.str;
         inherit (defaultAndText "server" "https://acme-v02.api.letsencrypt.org/directory") default defaultText;
         example = "https://acme-staging-v02.api.letsencrypt.org/directory";
         description = ''