nixos/nginx: not "before" ACME certs using DNS validation

Relax dependency with certs that are validated via DNS challenge since we know the HTTP server is not required for that validation. This allows marking the server's service as depending on the cert.
NixOS · Aug 25, 2024 · 5354cc5 · 5354cc5
1 parent fa20be9
commit 5354cc5
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
@@ -7,7 +7,8 @@ let
  inherit (config.security.acme) certs;
  vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;
  acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME || vhostConfig.useACMEHost != null) vhostsConfigs;
- dependentCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);
+ vhostCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);
+ dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server
  virtualHosts = mapAttrs (vhostName: vhostConfig:
  let
  serverName = if vhostConfig.serverName != null
@@ -1207,7 +1208,7 @@ in
  inherit (cfg) group user;
  cert = config.security.acme.certs.${name};
  groups = config.users.groups;
- }) dependentCertNames;
+ }) vhostCertNames;
 
  services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli
  ++ lib.optional cfg.recommendedZstdSettings pkgs.nginxModules.zstd;
@@ -1230,8 +1231,8 @@ in
  systemd.services.nginx = {
  description = "Nginx Web Server";
  wantedBy = [ "multi-user.target" ];
- wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) dependentCertNames);
- after = [ "network.target" ] ++ map (certName: "acme-selfsigned-${certName}.service") dependentCertNames;
+ wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) vhostCertNames);
+ after = [ "network.target" ] ++ map (certName: "acme-selfsigned-${certName}.service") vhostCertNames;
  # Nginx needs to be started in order to be able to request certificates
  # (it's hosting the acme challenge after all)
  # This fixes https://github.com/NixOS/nixpkgs/issues/81842
@@ -1310,8 +1311,8 @@ in
  # which allows the acme-finished-$cert.target to signify the successful updating
  # of certs end-to-end.
  systemd.services.nginx-config-reload = let
- sslServices = map (certName: "acme-${certName}.service") dependentCertNames;
- sslTargets = map (certName: "acme-finished-${certName}.target") dependentCertNames;
+ sslServices = map (certName: "acme-${certName}.service") vhostCertNames;
+ sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames;
  in mkIf (cfg.enableReload || sslServices != []) {
  wants = optionals cfg.enableReload [ "nginx.service" ];
  wantedBy = sslServices ++ [ "multi-user.target" ];
@@ -1323,7 +1324,7 @@ in
  restartTriggers = optionals cfg.enableReload [ configFile ];
  # Block reloading if not all certs exist yet.
  # Happens when config changes add new vhosts/certs.
- unitConfig.ConditionPathExists = optionals (sslServices != []) (map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames);
+ unitConfig.ConditionPathExists = optionals (sslServices != []) (map (certName: certs.${certName}.directory + "/fullchain.pem") vhostCertNames);
  serviceConfig = {
  Type = "oneshot";
  TimeoutSec = 60;