fix(nginx): Specify acmeRoot with null webroot
In the NixOS module for nginx, enableACME does this...
hasRoot = vhostConfig.acmeRoot != null;
webroot = mkOverride (if hasRoot then 1000 else 2000) vhostConfig.acmeRoot;
...ensuring that if the acmeRoot isn't null, we use it by default
Unfortunately, in our efforts to get dnsProviders working, we've nudged
this out of alignment and caused acmeRoot to be ignored altogether...
...while this works well in Clicks, it's a disaster for anyone trying to
provision certificates with http/s
Change-Id: I05d1c49718dbfcb2a3929710a90da5eb3847481a
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/814
Reviewed-by: Skyler Grey <minion@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>
diff --git a/modules/nixos/clicks/services/nginx/default.nix b/modules/nixos/clicks/services/nginx/default.nix
index 1740930..d195f58 100644
--- a/modules/nixos/clicks/services/nginx/default.nix
+++ b/modules/nixos/clicks/services/nginx/default.nix
@@ -27,9 +27,11 @@
nginxHosts = lib.attrsets.mapAttrs (_: host: lib.attrsets.removeAttrs host [ "authWith" "dnsProvider" ]) processedHosts;
acmeCerts = lib.attrsets.mapAttrs (_: host: {
inherit (host) dnsProvider;
- webroot = if host.dnsProvider == null
- then config.security.acme.defaults.webroot
- else null;
+ webroot = if host.dnsProvider != null
+ then null
+ else if host.acmeRoot != null
+ then host.acmeRoot
+ else config.security.acme.defaults.webroot;
}) processedHosts;
tailscaleAuthHosts = lib.pipe hostsList [
(lib.lists.filter (host: host.value.authWith == "tailscale"))