nixos/caddy: update ca option

The generated json configuration returns this warning: the 'issuer' field is deprecated and will be removed in the future; use 'issuers' instead Updated the config to use "issuers" instead of "issuer" Also, now it's possible to set the ca option null to not inject automatically any ca. This is useful if you don't want to generate any certificates or if you want to define a more fine-graned ca config manually (e.g.: use different ca per domain)
2024-10-03 19:17:38 +03:00 · 2021-08-12 22:02:12 +02:00 · 2021-08-12 22:02:12 +02:00 · 679d54dcb3
commit 679d54dcb3
parent 9df2cb074d
1 changed files with 29 additions and 19 deletions
--- a/nixos/modules/services/web-servers/caddy.nix
+++ b/nixos/modules/services/web-servers/caddy.nix
@ -8,10 +8,10 @@ let

  tlsConfig = {
    apps.tls.automation.policies = [{
-      issuer = {
+      issuers = [{
        inherit (cfg) ca email;
        module = "acme";
-      };
+      }];
    }];
  };

@ -23,23 +23,28 @@ let

  # merge the TLS config options we expose with the ones originating in the Caddyfile
  configJSON =
-    let tlsConfigMerge = ''
-      {"apps":
-        {"tls":
-          {"automation":
-            {"policies":
-              (if .[0].apps.tls.automation.policies == .[1]?.apps.tls.automation.policies
-               then .[0].apps.tls.automation.policies
-               else (.[0].apps.tls.automation.policies + .[1]?.apps.tls.automation.policies)
-               end)
+    if cfg.ca != null then
+      let tlsConfigMerge = ''
+        {"apps":
+          {"tls":
+            {"automation":
+              {"policies":
+                (if .[0].apps.tls.automation.policies == .[1]?.apps.tls.automation.policies
+                 then .[0].apps.tls.automation.policies
+                 else (.[0].apps.tls.automation.policies + .[1]?.apps.tls.automation.policies)
+                 end)
+              }
            }
          }
-        }
-      }'';
-    in pkgs.runCommand "caddy-config.json" { } ''
-    ${pkgs.jq}/bin/jq -s '.[0] * ${tlsConfigMerge}' ${adaptedConfig} ${tlsJSON} > $out
-  '';
-in {
+        }'';
+      in
+      pkgs.runCommand "caddy-config.json" { } ''
+        ${pkgs.jq}/bin/jq -s '.[0] * ${tlsConfigMerge}' ${adaptedConfig} ${tlsJSON} > $out
+      ''
+    else
+      adaptedConfig;
+in
+{
  imports = [
    (mkRemovedOptionModule [ "services" "caddy" "agree" ] "this option is no longer necessary for Caddy 2")
  ];
@ -88,8 +93,13 @@ in {
    ca = mkOption {
      default = "https://acme-v02.api.letsencrypt.org/directory";
      example = "https://acme-staging-v02.api.letsencrypt.org/directory";
-      type = types.str;
-      description = "Certificate authority ACME server. The default (Let's Encrypt production server) should be fine for most people.";
+      type = types.nullOr types.str;
+      description = ''
+        Certificate authority ACME server. The default (Let's Encrypt
+        production server) should be fine for most people. Set it to null if
+        you don't want to include any authority (or if you want to write a more
+        fine-graned configuration manually)
+      '';
    };

    email = mkOption {