Merge pull request #179155 from linj-fork/caddy-improve-security
nixos/caddy: improve security about acme certs
This commit is contained in:
commit
d05ae63d23
@ -308,7 +308,6 @@ in
|
||||
StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") [ "caddy" ];
|
||||
LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") [ "caddy" ];
|
||||
Restart = "on-abnormal";
|
||||
SupplementaryGroups = mkIf (length acmeVHosts != 0) [ "acme" ];
|
||||
|
||||
# TODO: attempt to upstream these options
|
||||
NoNewPrivileges = true;
|
||||
@ -331,9 +330,12 @@ in
|
||||
|
||||
security.acme.certs =
|
||||
let
|
||||
reloads = map (useACMEHost: nameValuePair useACMEHost { reloadServices = [ "caddy.service" ]; }) acmeHosts;
|
||||
certCfg = map (useACMEHost: nameValuePair useACMEHost {
|
||||
group = mkDefault cfg.group;
|
||||
reloadServices = [ "caddy.service" ];
|
||||
}) acmeHosts;
|
||||
in
|
||||
listToAttrs reloads;
|
||||
listToAttrs certCfg;
|
||||
|
||||
};
|
||||
}
|
||||
|
@ -40,9 +40,7 @@ in
|
||||
|
||||
<emphasis>Note that this option does not create any certificates, nor
|
||||
does it add subdomains to existing ones – you will need to create them
|
||||
manually using <xref linkend="opt-security.acme.certs"/>. Additionally,
|
||||
you should probably add the <literal>caddy</literal> user to the
|
||||
<literal>acme</literal> group to grant access to the certificates.</emphasis>
|
||||
manually using <xref linkend="opt-security.acme.certs"/>.</emphasis>
|
||||
'';
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user