nginx module: Add acmeFallbackHost vhost option

pyrox.dev / nixpkgs

fork atom

lol

fork atom

authored by

Franz Pletz and committed by

Robin Gloster 9 years ago 4e5c7913 811f243c

+20 -2

2 changed files

expand all

unified split

nixos

modules

services

web-servers

nginx

default.nix

vhost-options.nix

+11 -2

nixos/modules/services/web-servers/nginx/default.nix

··· 78 ssl = vhost.enableSSL || vhost.forceSSL; 79 port = if vhost.port != null then vhost.port else (if ssl then 443 else 80); 80 listenString = toString port + optionalString ssl " ssl spdy"; 81 in '' 82 ${optionalString vhost.forceSSL '' 83 server { ··· 85 listen [::]:80; 86 87 server_name ${serverName} ${concatStringsSep " " vhost.serverAliases}; 88 - ${optionalString vhost.enableACME "location /.well-known/acme-challenge { root ${vhost.acmeRoot}; }"} 89 location / { 90 return 301 https://$host${optionalString (port != 443) ":${port}"}$request_uri; 91 } ··· 97 listen [::]:${listenString}; 98 99 server_name ${serverName} ${concatStringsSep " " vhost.serverAliases}; 100 - ${optionalString vhost.enableACME "location /.well-known/acme-challenge { root ${vhost.acmeRoot}; }"} 101 ${optionalString (vhost.root != null) "root ${vhost.root};"} 102 ${optionalString (vhost.globalRedirect != null) '' 103 return 301 https://${vhost.globalRedirect}$request_uri;

··· 78 ssl = vhost.enableSSL || vhost.forceSSL; 79 port = if vhost.port != null then vhost.port else (if ssl then 443 else 80); 80 listenString = toString port + optionalString ssl " ssl spdy"; 81 + acmeLocation = optionalString vhost.enableACME '' 82 + location /.well-known/acme-challenge { 83 + try_files $uri @acme-fallback; 84 + root ${vhost.acmeRoot}; 85 + } 86 + location @acme-fallback { 87 + proxy_pass http://${vhost.acmeFallbackHost}; 88 + } 89 + ''; 90 in '' 91 ${optionalString vhost.forceSSL '' 92 server { ··· 94 listen [::]:80; 95 96 server_name ${serverName} ${concatStringsSep " " vhost.serverAliases}; 97 + ${acmeLocation} 98 location / { 99 return 301 https://$host${optionalString (port != 443) ":${port}"}$request_uri; 100 } ··· 106 listen [::]:${listenString}; 107 108 server_name ${serverName} ${concatStringsSep " " vhost.serverAliases}; 109 + ${acmeLocation} 110 ${optionalString (vhost.root != null) "root ${vhost.root};"} 111 ${optionalString (vhost.globalRedirect != null) '' 112 return 301 https://${vhost.globalRedirect}$request_uri;

nixos/modules/services/web-servers/nginx/vhost-options.nix

··· 38 description = "Directory to store certificates and keys managed by the ACME service."; 39 }; 40 41 enableSSL = mkOption { 42 type = types.bool; 43 default = false;

··· 38 description = "Directory to store certificates and keys managed by the ACME service."; 39 }; 40 41 + acmeFallbackHost = mkOption { 42 + type = types.str; 43 + default = "0.0.0.0"; 44 + description = '' 45 + Host which to proxy requests to if acme challenge is not found. Useful 46 + if you want multiple hosts to be able to verify the same domain name. 47 + ''; 48 + }; 49 + 50 enableSSL = mkOption { 51 type = types.bool; 52 default = false;