Merge pull request #304642 from erictapen/nginx-resolver-ipv4

nixos/nginx: allow for resolving IPv6 addresses only
author: Sandro <sandro.jaeckel@gmail.com> 2024-04-18 00:03:16 +0200
committer: GitHub <noreply@github.com> 2024-04-18 00:03:16 +0200
commit: 7e02555456a230b52d7a9b905453a0fc36525c99 (patch)
tree: c361c96d01a0d51a22a6bebcd9f6889e49b6dae8 /nixos
parent: d8b7917df2fff6b20bade1b024357236edbad885 (diff)
parent: d6e8934f38e194dae97044454c49958b342f4481 (diff)
1 files changed, 17 insertions, 1 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index 3d1a00ccde7c9..40470f535bf61 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -164,7 +164,7 @@ let
       ${commonHttpConfig}
 
       ${optionalString (cfg.resolver.addresses != []) ''
-        resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"} ${optionalString (!cfg.resolver.ipv6) "ipv6=off"};
+        resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"} ${optionalString (!cfg.resolver.ipv4) "ipv4=off"} ${optionalString (!cfg.resolver.ipv6) "ipv6=off"};
       ''}
       ${upstreamConfig}
 
@@ -978,6 +978,15 @@ in
                 An optional valid parameter allows overriding it
               '';
             };
+            ipv4 = mkOption {
+              type = types.bool;
+              default = true;
+              description = ''
+                By default, nginx will look up both IPv4 and IPv6 addresses while resolving.
+                If looking up of IPv4 addresses is not desired, the ipv4=off parameter can be
+                specified.
+              '';
+            };
             ipv6 = mkOption {
               type = types.bool;
               default = true;
@@ -1179,6 +1188,13 @@ in
           to answer to ACME requests.
         '';
       }
+
+      {
+        assertion = cfg.resolver.ipv4 || cfg.resolver.ipv6;
+        message = ''
+          At least one of services.nginx.resolver.ipv4 and services.nginx.resolver.ipv6 must be true.
+        '';
+      }
     ] ++ map (name: mkCertOwnershipAssertion {
       inherit (cfg) group user;
       cert = config.security.acme.certs.${name};
author	Sandro <sandro.jaeckel@gmail.com>	2024-04-18 00:03:16 +0200
committer	GitHub <noreply@github.com>	2024-04-18 00:03:16 +0200
commit	7e02555456a230b52d7a9b905453a0fc36525c99 (patch)
tree	c361c96d01a0d51a22a6bebcd9f6889e49b6dae8 /nixos
parent	d8b7917df2fff6b20bade1b024357236edbad885 (diff)
parent	d6e8934f38e194dae97044454c49958b342f4481 (diff)