acme: Don't attempt to get certs if the domain is wrong
This commit is contained in:
parent
40c137e613
commit
2204f354ce
|
@ -137,7 +137,6 @@
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
clientMaxBodySize = "10G";
|
clientMaxBodySize = "10G";
|
||||||
domain = "tlater.net";
|
|
||||||
|
|
||||||
statusPage = true; # For metrics, should be accessible only from localhost
|
statusPage = true; # For metrics, should be accessible only from localhost
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,8 @@
|
||||||
# Required for the lish console
|
# Required for the lish console
|
||||||
boot.kernelParams = ["console=ttyS0,19200n8"];
|
boot.kernelParams = ["console=ttyS0,19200n8"];
|
||||||
|
|
||||||
|
services.nginx.domain = "tlater.net";
|
||||||
|
|
||||||
boot.loader = {
|
boot.loader = {
|
||||||
# Timeout to allow lish to connect
|
# Timeout to allow lish to connect
|
||||||
timeout = 10;
|
timeout = 10;
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
networking.hostName = "testvm";
|
networking.hostName = "testvm";
|
||||||
# Sets the base domain for nginx to localhost so that we
|
# Sets the base domain for nginx to localhost so that we
|
||||||
# can easily test locally with the VM.
|
# can easily test locally with the VM.
|
||||||
services.nginx.domain = lib.mkOverride 99 "localhost";
|
services.nginx.domain = "localhost";
|
||||||
|
|
||||||
# Use the staging secrets
|
# Use the staging secrets
|
||||||
sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;
|
sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;
|
||||||
|
|
|
@ -1,8 +1,23 @@
|
||||||
{lib, ...}: let
|
{
|
||||||
inherit (lib) mkOption types;
|
pkgs,
|
||||||
in {
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
options.services.nginx.domain = lib.mkOption {
|
options.services.nginx.domain = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "The base domain name to append to virtual domain names";
|
description = "The base domain name to append to virtual domain names";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
# Don't attempt to run acme if the domain name is not tlater.net
|
||||||
|
systemd.services = let
|
||||||
|
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
|
||||||
|
in
|
||||||
|
lib.mapAttrs' (cert: _:
|
||||||
|
lib.nameValuePair "acme-${cert}" {
|
||||||
|
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
|
||||||
|
})
|
||||||
|
config.security.acme.certs;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue