diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2020-10-12 19:26:00 +0100 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2020-10-12 19:26:00 +0100 |
commit | d95f020a5316fd1680c641d7f8283bcbc215c0d9 (patch) | |
tree | 76638c4ce9300d11fba57e254f33be30d6bc0969 | |
parent | 0b5d5d68289c1b9341c80b88d543b4699e9ec644 (diff) | |
download | nixpkgs-d95f020a5316fd1680c641d7f8283bcbc215c0d9.tar nixpkgs-d95f020a5316fd1680c641d7f8283bcbc215c0d9.tar.gz nixpkgs-d95f020a5316fd1680c641d7f8283bcbc215c0d9.tar.bz2 nixpkgs-d95f020a5316fd1680c641d7f8283bcbc215c0d9.tar.lz nixpkgs-d95f020a5316fd1680c641d7f8283bcbc215c0d9.tar.xz nixpkgs-d95f020a5316fd1680c641d7f8283bcbc215c0d9.tar.zst nixpkgs-d95f020a5316fd1680c641d7f8283bcbc215c0d9.zip |
nixos/acme: Docs, explain how to set permissions
As of 20.09 the /var/lib/acme/.challenges permissions will not automatically be correct. Add instructions on how to set them correctly.
-rw-r--r-- | nixos/modules/security/acme.xml | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 17e94bc12fb..e3ce643e920 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -115,15 +115,18 @@ services.nginx = { <programlisting> <xref linkend="opt-security.acme.acceptTerms" /> = true; <xref linkend="opt-security.acme.email" /> = "admin+acme@example.com"; + +# /var/lib/acme/.challenges must be writable by the ACME user +# and readable by the Nginx user. The easiest way to achieve +# this is to add the Nginx user to the ACME group. +<link linkend="users.users._name_.extraGroups">users.users.nginx.extraGroups</link> = [ "acme" ]; + services.nginx = { <link linkend="opt-services.nginx.enable">enable</link> = true; <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { "acmechallenge.example.com" = { # Catchall vhost, will redirect users to HTTPS for all vhosts <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "*.example.com" ]; - # /var/lib/acme/.challenges must be writable by the ACME user - # and readable by the Nginx user. - # By default, this is the case. locations."/.well-known/acme-challenge" = { <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/lib/acme/.challenges"; }; @@ -134,6 +137,7 @@ services.nginx = { }; } # Alternative config for Apache +<link linkend="users.users._name_.extraGroups">users.users.wwwrun.extraGroups</link> = [ "acme" ]; services.httpd = { <link linkend="opt-services.httpd.enable">enable = true;</link> <link linkend="opt-services.httpd.virtualHosts">virtualHosts</link> = { |