ACME: Difference between revisions
imported>Onny mNo edit summary |
mNo edit summary |
||
| (4 intermediate revisions by 3 users not shown) | |||
| Line 11: | Line 11: | ||
certs."mx1.example.org" = { | certs."mx1.example.org" = { | ||
dnsProvider = "inwx"; | dnsProvider = "inwx"; | ||
# | # Supplying password files like this will make your credentials world-readable | ||
# in the Nix store. This is for demonstration purpose only, do not use this in production. | # in the Nix store. This is for demonstration purpose only, do not use this in production. | ||
environmentFile = "${pkgs.writeText "inwx-creds" '' | |||
INWX_USERNAME=xxxxxxxxxx | INWX_USERNAME=xxxxxxxxxx | ||
INWX_PASSWORD=yyyyyyyyyy | INWX_PASSWORD=yyyyyyyyyy | ||
| Line 22: | Line 22: | ||
Certificates are getting generated for the domain <code>mx1.example.org</code> using the DNS provider <code>inwx</code>. See [https://go-acme.github.io/lego/dns upstream documentation] on available providers and their specific configuration for the <code>credentialsFile</code> option. | Certificates are getting generated for the domain <code>mx1.example.org</code> using the DNS provider <code>inwx</code>. See [https://go-acme.github.io/lego/dns upstream documentation] on available providers and their specific configuration for the <code>credentialsFile</code> option. | ||
== Usage == | |||
After successfull generation, certificates can be found in the directory <code>/var/lib/acme</code>. To use certificates in other applications, permissions can be adjusted by setting a group name as a string or reference it. | |||
<syntaxhighlight lang="nix"> | |||
security.acme.certs."mx1.example.org".group = config.services.maddy.group; | |||
</syntaxhighlight> | |||
== Using Let's Encrypt Staging == | |||
If you'd like to use the Let's Encrypt [https://letsencrypt.org/docs/staging-environment/ staging environment], eg for its less stringent rate limits, set | |||
<syntaxhighlight lang="nix"> | |||
security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; | |||
</syntaxhighlight> | |||
== See also == | == See also == | ||
* NixOS manual on [https://nixos.org/manual/nixos/stable/index.html#module-security-acme SSL/TLS Certificates with ACME] | * NixOS manual on [https://nixos.org/manual/nixos/stable/index.html#module-security-acme SSL/TLS Certificates with ACME] | ||
[[Category: Server]] | |||
[[Category: Networking]] | |||
Latest revision as of 19:34, 24 April 2024
NixOS supports automatic domain validation & certificate retrieval and renewal using the ACME protocol. Any provider can be used, but by default NixOS uses Let's Encrypt. The alternative ACME client lego is used under the hood.
Setup
Following example setup generates certificates using DNS validation. Let's Encrypt ToS has to be accepted. Further the contact mail admin+acme@example.com is defined.
security.acme = {
acceptTerms = true;
defaults.email = "admin+acme@example.org";
certs."mx1.example.org" = {
dnsProvider = "inwx";
# Supplying password files like this will make your credentials world-readable
# in the Nix store. This is for demonstration purpose only, do not use this in production.
environmentFile = "${pkgs.writeText "inwx-creds" ''
INWX_USERNAME=xxxxxxxxxx
INWX_PASSWORD=yyyyyyyyyy
''}";
};
};
Certificates are getting generated for the domain mx1.example.org using the DNS provider inwx. See upstream documentation on available providers and their specific configuration for the credentialsFile option.
Usage
After successfull generation, certificates can be found in the directory /var/lib/acme. To use certificates in other applications, permissions can be adjusted by setting a group name as a string or reference it.
security.acme.certs."mx1.example.org".group = config.services.maddy.group;
Using Let's Encrypt Staging
If you'd like to use the Let's Encrypt staging environment, eg for its less stringent rate limits, set
security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
See also
- NixOS manual on SSL/TLS Certificates with ACME