diff options
author | Florian Klink <flokli@flokli.de> | 2021-01-29 17:16:06 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-29 17:16:06 +0100 |
commit | 82102fc37daebdb254d796612de044b29e6e88da (patch) | |
tree | b9365500f0953b02b1e5251279aea8d84a5e1c96 | |
parent | c9e9792dbf274a84a9e42318f30dfbc33f8bb7bc (diff) | |
parent | d95f020a5316fd1680c641d7f8283bcbc215c0d9 (diff) | |
download | nixpkgs-82102fc37daebdb254d796612de044b29e6e88da.tar nixpkgs-82102fc37daebdb254d796612de044b29e6e88da.tar.gz nixpkgs-82102fc37daebdb254d796612de044b29e6e88da.tar.bz2 nixpkgs-82102fc37daebdb254d796612de044b29e6e88da.tar.lz nixpkgs-82102fc37daebdb254d796612de044b29e6e88da.tar.xz nixpkgs-82102fc37daebdb254d796612de044b29e6e88da.tar.zst nixpkgs-82102fc37daebdb254d796612de044b29e6e88da.zip |
Merge pull request #100356 from m1cr0man/docsupdate
nixos/acme: Docs, explain how to set permissions
-rw-r--r-- | nixos/modules/security/acme.xml | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index b34cbdafb2d..f9b1449e53d 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -115,15 +115,18 @@ services.nginx = { <programlisting> <xref linkend="opt-security.acme.acceptTerms" /> = true; <xref linkend="opt-security.acme.email" /> = "admin+acme@example.com"; + +# /var/lib/acme/.challenges must be writable by the ACME user +# and readable by the Nginx user. The easiest way to achieve +# this is to add the Nginx user to the ACME group. +<link linkend="users.users._name_.extraGroups">users.users.nginx.extraGroups</link> = [ "acme" ]; + services.nginx = { <link linkend="opt-services.nginx.enable">enable</link> = true; <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { "acmechallenge.example.com" = { # Catchall vhost, will redirect users to HTTPS for all vhosts <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "*.example.com" ]; - # /var/lib/acme/.challenges must be writable by the ACME user - # and readable by the Nginx user. - # By default, this is the case. locations."/.well-known/acme-challenge" = { <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/lib/acme/.challenges"; }; @@ -134,6 +137,7 @@ services.nginx = { }; } # Alternative config for Apache +<link linkend="users.users._name_.extraGroups">users.users.wwwrun.extraGroups</link> = [ "acme" ]; services.httpd = { <link linkend="opt-services.httpd.enable">enable = true;</link> <link linkend="opt-services.httpd.virtualHosts">virtualHosts</link> = { |