Merge pull request #245737 from oddlama/fix-nginx-unnecessary-acme-locations

2023-07-28 19:23:56 +02:00 · 2023-07-28 19:23:56 +02:00 · 5150e29817
parent 2a0aaa7e8f cbdaab0f17
commit 5150e29817
1 changed files with 3 additions and 1 deletions
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -362,7 +362,9 @@ let

        redirectListen = filter (x: !x.ssl) defaultListen;

-        acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) ''
+        # The acme-challenge location doesn't need to be added if we are not using any automated
+        # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge
+        acmeLocation = optionalString (vhost.enableACME || (vhost.useACMEHost != null && config.security.acme.certs.${vhost.useACMEHost}.dnsProvider == null)) ''
          # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
          # We use ^~ here, so that we don't check any regexes (which could
          # otherwise easily override this intended match accidentally).