nixos/acme: fix some descriptions, default acceptTerms to false

1 files changed, 33 insertions, 10 deletions

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 11775e6aef0..36cf4f7e681 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -97,18 +97,33 @@ let
         '';
       };
 
+      keyType = mkOption {
+        type = types.str;
+        default = "ec384";
+        description = ''
+          Key type to use for private keys.
+          For an up to date list of supported values check the --key-type option
+          at https://go-acme.github.io/lego/usage/cli/#usage.
+        '';
+      };
+
       dnsProvider = mkOption {
         type = types.nullOr types.str;
         default = null;
         example = "route53";
-        description = "DNS Challenge provider";
+        description = ''
+          DNS Challenge provider. For a list of supported providers, see the "code"
+          field of the DNS providers listed at https://go-acme.github.io/lego/dns/.
+        '';
       };
 
       credentialsFile = mkOption {
-        type = types.str;
+        type = types.path;
         description = ''
-          File containing DNS provider credentials passed as environment variables.
-          See https://go-acme.github.io/lego/dns/ for more information.
+          Path to an EnvironmentFile for the cert's service containing any required and
+          optional environment variables for your selected dnsProvider.
+          To find out what values you need to set, consult the documentation at
+          https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.
         '';
         example = "/var/src/secrets/example.org-route53-api-token";
       };
@@ -117,8 +132,8 @@ let
         type = types.bool;
         default = true;
         description = ''
-          Toggles LEGo DNS propagation check, which is used alongside DNS-01
-          challenge to ensure the DNS entries required are available
+          Toggles lego DNS propagation check, which is used alongside DNS-01
+          challenge to ensure the DNS entries required are available.
         '';
       };
     };
@@ -192,10 +207,10 @@ in
 
       acceptTerms = mkOption {
         type = types.bool;
-        default = true;
+        default = false;
         description = ''
-          Accept the current Let's Encrypt terms of service.
-          See https://letsencrypt.org/repository/
+          Accept the CA's terms of service. The default provier is Let's Encrypt,
+          you can find their ToS at https://letsencrypt.org/repository/
         '';
       };
 
@@ -247,6 +262,14 @@ in
             `security.acme.email` to register with the CA.
           '';
         }
+        {
+          assertion = cfg.acceptTerms;
+          message = ''
+            You must accept the CA's terms of service before using
+            the ACME module by setting `security.acme.acceptTerms`
+            to `true`. For Let's Encrypt's ToS see https://letsencrypt.org/repository/
+          '';
+        }
       ];
 
       systemd.services = let
@@ -260,7 +283,7 @@ in
                 spath = "/var/lib/acme/.lego";
                 rights = if data.allowKeysForGroup then "750" else "700";
                 email = if data.email == null then cfg.email else data.email;
-                globalOpts = [ "-d" data.domain "--email" email "--path" "." ]
+                globalOpts = [ "-d" data.domain "--email" email "--path" "." "--key-type" data.keyType ]
                           ++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
                           ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
                           ++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)