diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index bc10f5b587c7..a86961de6719 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -30,6 +30,8 @@ - `himalaya` has been updated to `0.8.0`, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the [release note](https://github.com/soywod/himalaya/releases/tag/v0.8.0) for more details. +- The [services.caddy.acmeCA](#opt-services.caddy.acmeCA) option now defaults to `null` instead of `"https://acme-v02.api.letsencrypt.org/directory"`, to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream. + - `util-linux` is now supported on Darwin and is no longer an alias to `unixtools`. Use the `unixtools.util-linux` package for access to the Apple variants of the utilities. - `fileSystems..autoFormat` now uses `systemd-makefs`, which does not accept formatting options. Therefore, `fileSystems..formatOptions` has been removed. diff --git a/nixos/modules/services/web-servers/caddy/default.nix b/nixos/modules/services/web-servers/caddy/default.nix index f5a9cfac5d77..70715a237250 100644 --- a/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixos/modules/services/web-servers/caddy/default.nix @@ -14,7 +14,7 @@ let in '' ${hostOpts.hostName} ${concatStringsSep " " hostOpts.serverAliases} { - bind ${concatStringsSep " " hostOpts.listenAddresses} + ${optionalString (hostOpts.listenAddresses != [ ]) "bind ${concatStringsSep " " hostOpts.listenAddresses}"} ${optionalString (hostOpts.useACMEHost != null) "tls ${sslCertDir}/cert.pem ${sslCertDir}/key.pem"} log { ${hostOpts.logFormat} @@ -245,15 +245,23 @@ in }; acmeCA = mkOption { - default = "https://acme-v02.api.letsencrypt.org/directory"; - example = "https://acme-staging-v02.api.letsencrypt.org/directory"; + default = null; + example = "https://acme-v02.api.letsencrypt.org/directory"; type = with types; nullOr str; description = lib.mdDoc '' - The URL to the ACME CA's directory. It is strongly recommended to set - this to Let's Encrypt's staging endpoint for testing or development. + ::: {.note} + Sets the [`acme_ca` option](https://caddyserver.com/docs/caddyfile/options#acme-ca) + in the global options block of the resulting Caddyfile. + ::: - Set it to `null` if you want to write a more - fine-grained configuration manually. + The URL to the ACME CA's directory. It is strongly recommended to set + this to `https://acme-staging-v02.api.letsencrypt.org/directory` for + Let's Encrypt's [staging endpoint](https://letsencrypt.org/docs/staging-environment/) + while testing or in development. + + Value `null` should be prefered for production setups, + as it omits the `acme_ca` option to enable + [automatic issuer fallback](https://caddyserver.com/docs/automatic-https#issuer-fallback). ''; };