diff options
| author | Graham Christensen <graham@grahamc.com> | 2018-09-29 20:51:11 -0400 |
|---|---|---|
| committer | Graham Christensen <graham@grahamc.com> | 2018-09-29 20:51:11 -0400 |
| commit | 8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549 (patch) | |
| tree | 2fd2a5d5e07bc85ea97ae3c0cb13eb563860ad66 /nixos/modules/security/acme.xml | |
| parent | 9622cd3b38ddbc7faa4cac2a48dbd70bd99570d0 (diff) | |
| download | nixpkgs-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar nixpkgs-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar.gz nixpkgs-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar.bz2 nixpkgs-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar.lz nixpkgs-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar.xz nixpkgs-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.tar.zst nixpkgs-8413f22bb39bd1c8adcf2ca9e6fcd4c59ddb3549.zip | |
docs: format
Diffstat (limited to 'nixos/modules/security/acme.xml')
| -rw-r--r-- | nixos/modules/security/acme.xml | 104 |
1 files changed, 55 insertions, 49 deletions
diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index b4cd83f6632..ef71fe53d0c 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -3,23 +3,25 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="module-security-acme"> - -<title>SSL/TLS Certificates with ACME</title> - -<para>NixOS supports automatic domain validation & certificate -retrieval and renewal using the ACME protocol. This is currently only -implemented by and for Let's Encrypt. The alternative ACME client -<literal>simp_le</literal> is used under the hood.</para> - -<section xml:id="module-security-acme-prerequisites"><title>Prerequisites</title> - -<para>You need to have a running HTTP server for verification. The server must -have a webroot defined that can serve -<filename>.well-known/acme-challenge</filename>. This directory must be -writeable by the user that will run the ACME client.</para> - -<para>For instance, this generic snippet could be used for Nginx: - + <title>SSL/TLS Certificates with ACME</title> + <para> + NixOS supports automatic domain validation & certificate retrieval and + renewal using the ACME protocol. This is currently only implemented by and + for Let's Encrypt. The alternative ACME client <literal>simp_le</literal> is + used under the hood. + </para> + <section xml:id="module-security-acme-prerequisites"> + <title>Prerequisites</title> + + <para> + You need to have a running HTTP server for verification. The server must + have a webroot defined that can serve + <filename>.well-known/acme-challenge</filename>. This directory must be + writeable by the user that will run the ACME client. + </para> + + <para> + For instance, this generic snippet could be used for Nginx: <programlisting> http { server { @@ -37,43 +39,47 @@ http { } } </programlisting> -</para> - -</section> - -<section xml:id="module-security-acme-configuring"><title>Configuring</title> - -<para>To enable ACME certificate retrieval & renewal for a certificate for -<literal>foo.example.com</literal>, add the following in your -<filename>configuration.nix</filename>: - + </para> + </section> + <section xml:id="module-security-acme-configuring"> + <title>Configuring</title> + + <para> + To enable ACME certificate retrieval & renewal for a certificate for + <literal>foo.example.com</literal>, add the following in your + <filename>configuration.nix</filename>: <programlisting> <xref linkend="opt-security.acme.certs"/>."foo.example.com" = { <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/challenges"; <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com"; }; </programlisting> -</para> - -<para>The private key <filename>key.pem</filename> and certificate -<filename>fullchain.pem</filename> will be put into -<filename>/var/lib/acme/foo.example.com</filename>. The target directory can -be configured with the option <xref linkend="opt-security.acme.directory"/>. -</para> - -<para>Refer to <xref linkend="ch-options" /> for all available configuration -options for the <link linkend="opt-security.acme.certs">security.acme</link> module.</para> - -</section> - -<section xml:id="module-security-acme-nginx"><title>Using ACME certificates in Nginx</title> -<para>NixOS supports fetching ACME certificates for you by setting - <literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;</literal> in a virtualHost config. We -first create self-signed placeholder certificates in place of the -real ACME certs. The placeholder certs are overwritten when the ACME -certs arrive. For <literal>foo.example.com</literal> the config would -look like. -</para> + </para> + + <para> + The private key <filename>key.pem</filename> and certificate + <filename>fullchain.pem</filename> will be put into + <filename>/var/lib/acme/foo.example.com</filename>. The target directory can + be configured with the option <xref linkend="opt-security.acme.directory"/>. + </para> + + <para> + Refer to <xref linkend="ch-options" /> for all available configuration + options for the <link linkend="opt-security.acme.certs">security.acme</link> + module. + </para> + </section> + <section xml:id="module-security-acme-nginx"> + <title>Using ACME certificates in Nginx</title> + + <para> + NixOS supports fetching ACME certificates for you by setting + <literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> + = true;</literal> in a virtualHost config. We first create self-signed + placeholder certificates in place of the real ACME certs. The placeholder + certs are overwritten when the ACME certs arrive. For + <literal>foo.example.com</literal> the config would look like. + </para> <programlisting> services.nginx = { @@ -89,5 +95,5 @@ services.nginx = { }; } </programlisting> -</section> + </section> </chapter> |