From 679d54dcb3d205f989cd77fbe7a557c94c15d596 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Luis=20Lafuente?= <jl@lafuente.me>
Date: Thu, 12 Aug 2021 22:02:12 +0200
Subject: [PATCH] nixos/caddy: update ca option

The generated json configuration returns this warning:
the 'issuer' field is deprecated and will be removed in the future; use 'issuers' instead

Updated the config to use "issuers" instead of "issuer"

Also, now it's possible to set the ca option null to not inject
automatically any ca. This is useful if you don't want to generate any
certificates or if you want to define a more fine-graned ca config
manually (e.g.: use different ca per domain)
---
 nixos/modules/services/web-servers/caddy.nix | 48 ++++++++++++--------
 1 file changed, 29 insertions(+), 19 deletions(-)

diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix
index 955b9756406d..b0565fcea162 100644
--- a/nixos/modules/services/web-servers/caddy.nix
+++ b/nixos/modules/services/web-servers/caddy.nix
@@ -8,10 +8,10 @@ let
 
   tlsConfig = {
     apps.tls.automation.policies = [{
-      issuer = {
+      issuers = [{
         inherit (cfg) ca email;
         module = "acme";
-      };
+      }];
     }];
   };
 
@@ -23,23 +23,28 @@ let
 
   # merge the TLS config options we expose with the ones originating in the Caddyfile
   configJSON =
-    let tlsConfigMerge = ''
-      {"apps":
-        {"tls":
-          {"automation":
-            {"policies":
-              (if .[0].apps.tls.automation.policies == .[1]?.apps.tls.automation.policies
-               then .[0].apps.tls.automation.policies
-               else (.[0].apps.tls.automation.policies + .[1]?.apps.tls.automation.policies)
-               end)
+    if cfg.ca != null then
+      let tlsConfigMerge = ''
+        {"apps":
+          {"tls":
+            {"automation":
+              {"policies":
+                (if .[0].apps.tls.automation.policies == .[1]?.apps.tls.automation.policies
+                 then .[0].apps.tls.automation.policies
+                 else (.[0].apps.tls.automation.policies + .[1]?.apps.tls.automation.policies)
+                 end)
+              }
             }
           }
-        }
-      }'';
-    in pkgs.runCommand "caddy-config.json" { } ''
-    ${pkgs.jq}/bin/jq -s '.[0] * ${tlsConfigMerge}' ${adaptedConfig} ${tlsJSON} > $out
-  '';
-in {
+        }'';
+      in
+      pkgs.runCommand "caddy-config.json" { } ''
+        ${pkgs.jq}/bin/jq -s '.[0] * ${tlsConfigMerge}' ${adaptedConfig} ${tlsJSON} > $out
+      ''
+    else
+      adaptedConfig;
+in
+{
   imports = [
     (mkRemovedOptionModule [ "services" "caddy" "agree" ] "this option is no longer necessary for Caddy 2")
   ];
@@ -88,8 +93,13 @@ in {
     ca = mkOption {
       default = "https://acme-v02.api.letsencrypt.org/directory";
       example = "https://acme-staging-v02.api.letsencrypt.org/directory";
-      type = types.str;
-      description = "Certificate authority ACME server. The default (Let's Encrypt production server) should be fine for most people.";
+      type = types.nullOr types.str;
+      description = ''
+        Certificate authority ACME server. The default (Let's Encrypt
+        production server) should be fine for most people. Set it to null if
+        you don't want to include any authority (or if you want to write a more
+        fine-graned configuration manually)
+      '';
     };
 
     email = mkOption {