summary refs log blame commit diff
path: root/nixos/modules/security/acme.xml
blob: 6130ed82ed3806370afdffc045b5f8c80f992037 (plain) (tree) 
1685b9d06eb ^




































































4e6697dcb6b ^

a878365b77e ^






4e6697dcb6b ^



a878365b77e ^












4e6697dcb6b ^

4e6697dcb6b ^

1685b9d06eb ^

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

69

70
71
72
73
74
75

76
77
78

79
80
81
82
83
84
85
86
87
88
89
90

91

92

93




































































                                                                              
                                                        





                                                                     


                











                          
                 
          
          
<chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="module-security-acme">

<title>SSL/TLS Certificates with ACME</title>

<para>NixOS supports automatic domain validation &amp; certificate
retrieval and renewal using the ACME protocol. This is currently only
implemented by and for Let's Encrypt. The alternative ACME client
<literal>simp_le</literal> is used under the hood.</para>

<section><title>Prerequisites</title>

<para>You need to have a running HTTP server for verification. The server must
have a webroot defined that can serve
<filename>.well-known/acme-challenge</filename>. This directory must be
writeable by the user that will run the ACME client.</para>

<para>For instance, this generic snippet could be used for Nginx:

<programlisting>
http {
  server {
    server_name _;
    listen 80;
    listen [::]:80;

    location /.well-known/acme-challenge {
      root /var/www/challenges;
    }

    location / {
      return 301 https://$host$request_uri;
    }
  }
}
</programlisting>
</para>

</section>

<section><title>Configuring</title>

<para>To enable ACME certificate retrieval &amp; renewal for a certificate for
<literal>foo.example.com</literal>, add the following in your
<filename>configuration.nix</filename>:

<programlisting>
security.acme.certs."foo.example.com" = {
  webroot = "/var/www/challenges";
  email = "foo@example.com";
};
</programlisting>
</para>

<para>The private key <filename>key.pem</filename> and certificate
<filename>fullchain.pem</filename> will be put into
<filename>/var/lib/acme/foo.example.com</filename>. The target directory can
be configured with the option <literal>security.acme.directory</literal>.
</para>

<para>Refer to <xref linkend="ch-options" /> for all available configuration
options for the <literal>security.acme</literal> module.</para>

</section>

<section><title>Using ACME certificates in Nginx</title>
<para>NixOS supports fetching ACME certificates for you by setting
<literal>enableACME = true;</literal> in a virtualHost config. We
first create self-signed placeholder certificates in place of the
real ACME certs. The placeholder certs are overwritten when the ACME
certs arrive. For <literal>foo.example.com</literal> the config would
look like.
</para>

<programlisting>
services.nginx = {
  enable = true;
  virtualHosts = {
    "foo.example.com" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        root = "/var/www";
      };
    };
  };
}
</programlisting>
</section>
</chapter>
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-08 07:07:44 +0000