ACME: Difference between revisions

From NixOS Wiki
imported>Onny
Initial page
 
imported>Onny
mNo edit summary
Line 3: Line 3:
== Setup ==
== Setup ==


Following example setup generates certificates using DNS validation.
Following example setup generates certificates using DNS validation. [https://letsencrypt.org/repository/ Let's Encrypt ToS] has to be accepted. Further the contact mail <code>admin+acme@example.com</code> is defined.


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 9: Line 9:
   acceptTerms = true;
   acceptTerms = true;
   defaults.email = "admin+acme@example.com";
   defaults.email = "admin+acme@example.com";
   certs."example.com" = {
   certs."mx1.example.org" = {
    domain = "*.example.com";
     dnsProvider = "inwx";
     dnsProvider = "rfc2136";
     credentialsFile = config.sops.secrets.lego-inwx-credentials.path;
     credentialsFile = "/var/lib/secrets/certs.secret";
     # Suplying password files like this will make your credentials world-readable
     # We don't need to wait for propagation since this is a local DNS server
    # in the Nix store. This is for demonstration purpose only, do not use this in production.
     dnsPropagationCheck = false;
     credentialsFile = "${pkgs.writeText "inwx-creds" ''
      INWX_USERNAME=xxxxxxxxxx
      INWX_PASSWORD=yyyyyyyyyy
    ''}";
   };
   };
};
};
</syntaxhighlight>
</syntaxhighlight>
Certificates are getting generated for the domain <code>mx1.example.org</code> using the DNS provider <code>inwx</code>. See [https://go-acme.github.io/lego/dns upstream documentation] on available providers and their specific configuration for the <code>credentialsFile</code> option.


== See also ==
== See also ==


* NixOS manual on [https://nixos.org/manual/nixos/stable/index.html#module-security-acme SSL/TLS Certificates with ACME]
* NixOS manual on [https://nixos.org/manual/nixos/stable/index.html#module-security-acme SSL/TLS Certificates with ACME]

Revision as of 11:38, 22 April 2023

NixOS supports automatic domain validation & certificate retrieval and renewal using the ACME protocol. Any provider can be used, but by default NixOS uses Let's Encrypt. The alternative ACME client lego is used under the hood.

Setup

Following example setup generates certificates using DNS validation. Let's Encrypt ToS has to be accepted. Further the contact mail admin+acme@example.com is defined.

security.acme = {
  acceptTerms = true;
  defaults.email = "admin+acme@example.com";
  certs."mx1.example.org" = {
    dnsProvider = "inwx";
    credentialsFile = config.sops.secrets.lego-inwx-credentials.path;
    # Suplying password files like this will make your credentials world-readable
    # in the Nix store. This is for demonstration purpose only, do not use this in production.
    credentialsFile = "${pkgs.writeText "inwx-creds" ''
      INWX_USERNAME=xxxxxxxxxx
      INWX_PASSWORD=yyyyyyyyyy
    ''}";
  };
};

Certificates are getting generated for the domain mx1.example.org using the DNS provider inwx. See upstream documentation on available providers and their specific configuration for the credentialsFile option.

See also