Nginx: Difference between revisions

Line 289:

1. We have to '''modify DNS such that our domain''' like <code>myhost.org</code> '''resolves to the local IP address of our private server''' and port 80 and 443 have been opened. [https://www.youtube.com/watch?v=qlcVx-k-02E See this video tutorial] for an example on how to do that.

2. We have to setup the Let's Encrypt NixOS ACME services such that it uses an API token in a secrets file ([https://github.com/ryantm/agenix secrets for a server can be conveniently and securely deployed in NixOS with agenix]; just follow the tutorial) against our DNS provider to prove from our server that we own the domain. This way our server doesn't need to be exposed and reachable from the internet. NixOS ACME uses the [https://go-acme.github.io/lego/ LEGO library] to communicate to DNS providers and therefore we have to provide the token(s) in that ~~tool~~'s secrets format.

2. We have to setup the Let's Encrypt NixOS ACME services such that it uses an API token in a secrets file ([https://github.com/ryantm/agenix secrets for a server can be conveniently and securely deployed in NixOS with agenix]; just follow the tutorial) against our DNS provider to prove from our server that we own the domain. This way our server doesn't need to be exposed and reachable from the internet. NixOS ACME uses the [https://go-acme.github.io/lego/ LEGO library] to communicate to DNS providers (it supports a lot) and therefore we have to provide the token(s) in that library's secrets file format.

In the example we use Hetzner as our "dnsProvider" that only needs a single API token environment in our secrets file:

Line 302:

3. Point our virtualHost to the ACME entry.

services.nginx.enable = true;

{

~~services.nginx~~.virtualHosts."~~myhost~~.org" = {

services.nginx = {

~~addSSL~~ = true;

enable = true;

~~enableACME~~ = true;

# we can use the main domain or any subdomain that's mentioned by

~~root~~ = "/~~var~~/~~www~~/~~myhost.org"~~;

# "extraDomainNames" in the acme certificate.

};

virtualHosts."subdomain.example.org" = {

security.acme ~~= {~~

# 3. Instead of "enableACME = true;" we

acceptTerms = true;

# reuse the certificate from "security.acme.certs."example.org"

defaults.email = "~~foo~~@~~bar~~.~~com~~";

# down below

};

useACMEHost = "example.org";

forceSSL = true;

locations."/" = {

return = "200 '<html><body>It works</body></html>'";

extraConfig = ''

default_type text/html;

'';

};

security.acme.acceptTerms = true;

security.acme.defaults.email = "info@example.org";

# 2. Let NixOS generate a Let's Encrypt certificate that we can reuse

# above for several virtualhosts above.

security.acme.certs."example.org" = {

domain = "example.org";

extraDomainNames = [ "subdomain.example.org" ];

# The LEGO DNS provider name. Depending on the provider, need different

# contents in the credentialsFile below.

dnsProvider = "hetzner";

dnsPropagationCheck = true;

# agenix will decrypt our secrets file (below) on the server and make it available

# under /run/agenix/secrets/hetzner-dns-token (by default):

# credentialsFile = "/run/agenix/secrets/hetzner-dns-token";

credentialsFile = config.age.secrets."hetzner-dns-token.age".path;

};

# Let agenix know about and copy our (encrypted) DNS API token secrets file

# (containing "HETZNER_API_KEY=...") to the server an decrypt it there.

# Follow the agenix tutorial on how to encrypt a secrets file

# to a .age file and how to setup your Nix flake to use it.

age.secrets."hetzner-dns-token.age".file = .../hetzner-dns-token.age;

users.users.nginx.extraGroups = [ "acme" ];

}

</syntaxhighlight>

This will set up nginx to serve files for ~~<code>myhost~~.org~~</code>~~, automatically request an ACME SSL Certificate using a "DNS-01" challenge (meaning your server must not be exposed to the internet) and will configure systemd timers to renew the certificate if required.

This will set up nginx to serve files for example.org, automatically request an ACME SSL Certificate using a "DNS-01" challenge (meaning your server must not be exposed to the internet) and will configure systemd timers to renew the certificate if required.

== Troubleshooting ==

@@ Line 289: / Line 289: @@
 . We have to '''modify DNS such that our domain''' like <code>myhost.org</code> '''resolves to the local IP address of our private server''' and port 80 and 443 have been opened. [https://www.youtube.com/watch?v=qlcVx-k-02E See this video tutorial] for an example on how to do that.
-. We have to setup the Let's Encrypt NixOS ACME services such that it uses an API token in a secrets file ([https://github.com/ryantm/agenix secrets for a server can be conveniently and securely deployed in NixOS with agenix]; just follow the tutorial) against our DNS provider to prove from our server that we own the domain. This way our server doesn't need to be exposed and reachable from the internet. NixOS ACME uses the [https://go-acme.github.io/lego/ LEGO library] to communicate to DNS providers and therefore we have to provide the token(s) in that tool's secrets format.
+. We have to setup the Let's Encrypt NixOS ACME services such that it uses an API token in a secrets file ([https://github.com/ryantm/agenix secrets for a server can be conveniently and securely deployed in NixOS with agenix]; just follow the tutorial) against our DNS provider to prove from our server that we own the domain. This way our server doesn't need to be exposed and reachable from the internet. NixOS ACME uses the [https://go-acme.github.io/lego/ LEGO library] to communicate to DNS providers (it supports a lot) and therefore we have to provide the token(s) in that library's secrets file format.
 In the example we use Hetzner as our "dnsProvider" that only needs a single API token environment in our secrets file:
@@ Line 302: / Line 302: @@
 . Point our virtualHost to the ACME entry.
 <syntaxhighlight lang="nix">
-services.nginx.enable = true;
+{
-services.nginx.virtualHosts."myhost.org" = {
+  services.nginx = {
-    addSSL = true;
+    enable = true;
-    enableACME = true;
+    # we can use the main domain or any subdomain that's mentioned by
-    root = "/var/www/myhost.org";
+    # "extraDomainNames" in the acme certificate.
-};
+    virtualHosts."subdomain.example.org" = {
-security.acme = {
+      # 3. Instead of "enableACME = true;" we
-  acceptTerms = true;
+      # reuse the certificate from "security.acme.certs."example.org"
-   defaults.email = "foo@bar.com";
+      # down below
-};
+      useACMEHost = "example.org";
+      forceSSL = true;
+      locations."/" = {
+        return = "200 '<html><body>It works</body></html>'";
+        extraConfig = ''
+          default_type text/html;
+        '';
+      };
+    };
+  };
+  security.acme.acceptTerms = true;
+   security.acme.defaults.email = "info@example.org";
+  # 2. Let NixOS generate a Let's Encrypt certificate that we can reuse
+  # above for several virtualhosts above.
+  security.acme.certs."example.org" = {
+    domain = "example.org";
+    extraDomainNames = [ "subdomain.example.org" ];
+    # The LEGO DNS provider name. Depending on the provider, need different
+    # contents in the credentialsFile below.
+    dnsProvider = "hetzner";
+    dnsPropagationCheck = true;
+    # agenix will decrypt our secrets file (below) on the server and make it available
+    # under /run/agenix/secrets/hetzner-dns-token (by default):
+    # credentialsFile = "/run/agenix/secrets/hetzner-dns-token";
+    credentialsFile = config.age.secrets."hetzner-dns-token.age".path;
+  };
+  # Let agenix know about and copy our (encrypted) DNS API token secrets file
+  # (containing "HETZNER_API_KEY=...") to the server an decrypt it there.
+  # Follow the agenix tutorial on how to encrypt a secrets file
+  # to a .age file and how to setup your Nix flake to use it.
+  age.secrets."hetzner-dns-token.age".file = .../hetzner-dns-token.age;
+  users.users.nginx.extraGroups = [ "acme" ];
+}
 </syntaxhighlight>
-This will set up nginx to serve files for <code>myhost.org</code>, automatically request an ACME SSL Certificate using a "DNS-01" challenge (meaning your server must not be exposed to the internet) and will configure systemd timers to renew the certificate if required.
+This will set up nginx to serve files for example.org, automatically request an ACME SSL Certificate using a "DNS-01" challenge (meaning your server must not be exposed to the internet) and will configure systemd timers to renew the certificate if required.
 == Troubleshooting ==