diff options
Diffstat (limited to 'nixos/modules/security/acme/default.nix')
-rw-r--r-- | nixos/modules/security/acme/default.nix | 62 |
1 files changed, 31 insertions, 31 deletions
diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index d827c448055..54b44dcab62 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -445,7 +445,7 @@ let validMinDays = mkOption { type = types.int; inherit (defaultAndText "validMinDays" 30) default defaultText; - description = "Minimum remaining validity before renewal in days."; + description = lib.mdDoc "Minimum remaining validity before renewal in days."; }; renewInterval = mkOption { @@ -466,11 +466,11 @@ let type = types.nullOr types.str; inherit (defaultAndText "webroot" null) default defaultText; example = "/var/lib/acme/acme-challenge"; - description = '' + description = lib.mdDoc '' Where the webroot of the HTTP vhost is located. - <filename>.well-known/acme-challenge/</filename> directory + {file}`.well-known/acme-challenge/` directory will be created below the webroot if it doesn't exist. - <literal>http://example.org/.well-known/acme-challenge/</literal> must also + `http://example.org/.well-known/acme-challenge/` must also be available (notice unencrypted HTTP). ''; }; @@ -478,17 +478,17 @@ let server = mkOption { type = types.nullOr types.str; inherit (defaultAndText "server" null) default defaultText; - description = '' + description = lib.mdDoc '' ACME Directory Resource URI. Defaults to Let's Encrypt's production endpoint, - <link xlink:href="https://acme-v02.api.letsencrypt.org/directory"/>, if unset. + <https://acme-v02.api.letsencrypt.org/directory>, if unset. ''; }; email = mkOption { type = types.str; inherit (defaultAndText "email" null) default defaultText; - description = '' + description = lib.mdDoc '' Email address for account creation and correspondence from the CA. It is recommended to use the same email for all certs to avoid account creation limits. @@ -498,7 +498,7 @@ let group = mkOption { type = types.str; inherit (defaultAndText "group" "acme") default defaultText; - description = "Group running the ACME client."; + description = lib.mdDoc "Group running the ACME client."; }; reloadServices = mkOption { @@ -514,7 +514,7 @@ let type = types.lines; inherit (defaultAndText "postRun" "") default defaultText; example = "cp full.pem backup.pem"; - description = '' + description = lib.mdDoc '' Commands to run after new certificates go live. Note that these commands run as the root user. @@ -525,10 +525,10 @@ let keyType = mkOption { type = types.str; inherit (defaultAndText "keyType" "ec256") default defaultText; - description = '' + description = lib.mdDoc '' Key type to use for private keys. For an up to date list of supported values check the --key-type option - at <link xlink:href="https://go-acme.github.io/lego/usage/cli/#usage"/>. + at <https://go-acme.github.io/lego/usage/cli/#usage>. ''; }; @@ -536,9 +536,9 @@ let type = types.nullOr types.str; inherit (defaultAndText "dnsProvider" null) default defaultText; example = "route53"; - description = '' + description = lib.mdDoc '' DNS Challenge provider. For a list of supported providers, see the "code" - field of the DNS providers listed at <link xlink:href="https://go-acme.github.io/lego/dns/"/>. + field of the DNS providers listed at <https://go-acme.github.io/lego/dns/>. ''; }; @@ -546,7 +546,7 @@ let type = types.nullOr types.str; inherit (defaultAndText "dnsResolver" null) default defaultText; example = "1.1.1.1:53"; - description = '' + description = lib.mdDoc '' Set the resolver to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined. @@ -556,11 +556,11 @@ let credentialsFile = mkOption { type = types.path; inherit (defaultAndText "credentialsFile" null) default defaultText; - description = '' + description = lib.mdDoc '' Path to an EnvironmentFile for the cert's service containing any required and optional environment variables for your selected dnsProvider. To find out what values you need to set, consult the documentation at - <link xlink:href="https://go-acme.github.io/lego/dns/"/> for the corresponding dnsProvider. + <https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider. ''; example = "/var/src/secrets/example.org-route53-api-token"; }; @@ -568,7 +568,7 @@ let dnsPropagationCheck = mkOption { type = types.bool; inherit (defaultAndText "dnsPropagationCheck" true) default defaultText; - description = '' + description = lib.mdDoc '' Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available. ''; @@ -590,7 +590,7 @@ let extraLegoFlags = mkOption { type = types.listOf types.str; inherit (defaultAndText "extraLegoFlags" []) default defaultText; - description = '' + description = lib.mdDoc '' Additional global flags to pass to all lego commands. ''; }; @@ -598,7 +598,7 @@ let extraLegoRenewFlags = mkOption { type = types.listOf types.str; inherit (defaultAndText "extraLegoRenewFlags" []) default defaultText; - description = '' + description = lib.mdDoc '' Additional flags to pass to lego renew. ''; }; @@ -606,7 +606,7 @@ let extraLegoRunFlags = mkOption { type = types.listOf types.str; inherit (defaultAndText "extraLegoRunFlags" []) default defaultText; - description = '' + description = lib.mdDoc '' Additional flags to pass to lego run. ''; }; @@ -637,13 +637,13 @@ let type = types.str; readOnly = true; default = "/var/lib/acme/${name}"; - description = "Directory where certificate and other state is stored."; + description = lib.mdDoc "Directory where certificate and other state is stored."; }; domain = mkOption { type = types.str; default = name; - description = "Domain to fetch certificate for (defaults to the entry name)."; + description = lib.mdDoc "Domain to fetch certificate for (defaults to the entry name)."; }; extraDomainNames = mkOption { @@ -655,7 +655,7 @@ let "mydomain.org" ] ''; - description = '' + description = lib.mdDoc '' A list of extra domain names, which are included in the one certificate to be issued. ''; }; @@ -667,7 +667,7 @@ let type = types.nullOr types.str; default = null; example = ":1360"; - description = '' + description = lib.mdDoc '' Interface and port to listen on to solve HTTP challenges in the form [INTERFACE]:PORT. If you use a port other than 80, you must proxy port 80 to this port. @@ -690,7 +690,7 @@ in { preliminarySelfsigned = mkOption { type = types.bool; default = true; - description = '' + description = lib.mdDoc '' Whether a preliminary self-signed certificate should be generated before doing ACME requests. This can be useful when certificates are required in a webserver, but ACME needs the webserver to make its requests. @@ -703,16 +703,16 @@ in { acceptTerms = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Accept the CA's terms of service. The default provider is Let's Encrypt, - you can find their ToS at <link xlink:href="https://letsencrypt.org/repository/"/>. + you can find their ToS at <https://letsencrypt.org/repository/>. ''; }; useRoot = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Whether to use the root user when generating certs. This is not recommended for security + compatiblity reasons. If a service requires root owned certificates consider following the guide on "Using ACME with services demanding root @@ -723,7 +723,7 @@ in { defaults = mkOption { type = types.submodule (inheritableModule true); - description = '' + description = lib.mdDoc '' Default values inheritable by all configured certs. You can use this to define options shared by all your certs. These defaults can also be ignored on a per-cert basis using the @@ -734,9 +734,9 @@ in { certs = mkOption { default = { }; type = with types; attrsOf (submodule [ (inheritableModule false) certOpts ]); - description = '' + description = lib.mdDoc '' Attribute set of certificates to get signed and renewed. Creates - <literal>acme-''${cert}.{service,timer}</literal> systemd units for + `acme-''${cert}.{service,timer}` systemd units for each certificate defined here. Other services can add dependencies to those units if they rely on the certificates being present, or trigger restarts of the service if certificates get renewed. |