ssl: add assertion to catch duplicate domain names
This commit is contained in:
parent
1c4bf7fc24
commit
81da2ac193
1 changed files with 34 additions and 0 deletions
|
|
@ -338,6 +338,40 @@ in
|
||||||
serviceName = lib.strings.removeSuffix ".service";
|
serviceName = lib.strings.removeSuffix ".service";
|
||||||
in
|
in
|
||||||
lib.mkMerge [
|
lib.mkMerge [
|
||||||
|
# Generic assertions
|
||||||
|
{
|
||||||
|
assertions = lib.flatten (
|
||||||
|
lib.mapAttrsToList (
|
||||||
|
_name: certCfg:
|
||||||
|
(
|
||||||
|
let
|
||||||
|
domainInExtraDomains =
|
||||||
|
(lib.lists.findFirstIndex (x: x == certCfg.domain) null certCfg.extraDomains) != null;
|
||||||
|
firstDuplicateDomain =
|
||||||
|
(
|
||||||
|
l:
|
||||||
|
let
|
||||||
|
sorted = lib.sort (x: y: x < y) l;
|
||||||
|
maybeDupe = lib.lists.removePrefix (lib.lists.commonPrefix (lib.uniqueStrings sorted) sorted) sorted;
|
||||||
|
in
|
||||||
|
if maybeDupe == [ ] then null else lib.head maybeDupe
|
||||||
|
)
|
||||||
|
certCfg.extraDomains;
|
||||||
|
in
|
||||||
|
[
|
||||||
|
{
|
||||||
|
assertion = !domainInExtraDomains;
|
||||||
|
message = "Error in SHB option for domain ${certCfg.domain}: do not repeat the domain name in the `extraDomain` option.";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
assertion = firstDuplicateDomain == null;
|
||||||
|
message = "Error in SHB option for domain ${certCfg.domain}: `extraDomain` option cannot have duplicates, first offender is: ${firstDuplicateDomain} in the following list: ${lib.concatStringsSep " " certCfg.extraDomains}.";
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
) (cfg.certs.selfsigned // cfg.certs.letsencrypt)
|
||||||
|
);
|
||||||
|
}
|
||||||
# Config for self-signed CA.
|
# Config for self-signed CA.
|
||||||
{
|
{
|
||||||
systemd.services = lib.mapAttrs' (
|
systemd.services = lib.mapAttrs' (
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue