ACME: Difference between revisions

From NixOS Wiki
Sandro (talk | contribs)
Change example to nginx
Sandro (talk | contribs)
Remove maybe confusing mx1 subdomain
Line 28: Line 28:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
security.acme.certs."mx1.example.org".group = "nginx";
security.acme.certs."example.org".group = "nginx";
</syntaxhighlight>
</syntaxhighlight>


Line 34: Line 34:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
security.acme.certs."mx1.example.org".group = config.services.nginx.group;
security.acme.certs."example.org".group = config.services.nginx.group;
</syntaxhighlight>
</syntaxhighlight>



Revision as of 18:17, 3 August 2024

NixOS supports automatic domain validation & certificate retrieval and renewal using the ACME protocol. Any provider can be used, but by default NixOS uses Let's Encrypt. The alternative ACME client lego is used under the hood.

Setup

Following example setup generates certificates using DNS validation. Let's Encrypt ToS has to be accepted. Further the contact mail admin+acme@example.com is defined.

security.acme = {
  acceptTerms = true;
  defaults.email = "admin+acme@example.org";
  certs."mx1.example.org" = {
    dnsProvider = "inwx";
    # Supplying password files like this will make your credentials world-readable
    # in the Nix store. This is for demonstration purpose only, do not use this in production.
    environmentFile = "${pkgs.writeText "inwx-creds" ''
      INWX_USERNAME=xxxxxxxxxx
      INWX_PASSWORD=yyyyyyyyyy
    ''}";
  };
};

Certificates are getting generated for the domain mx1.example.org using the DNS provider inwx. See upstream documentation on available providers and their specific configuration for the credentialsFile option.

Usage

After successfull generation, certificates can be found in the directory /var/lib/acme. When using certificates in other applications it may be required to change permissions. The group of the certificate files can be adjusted by setting the group option as a string

security.acme.certs."example.org".group = "nginx";

or reference.

security.acme.certs."example.org".group = config.services.nginx.group;

Using Let's Encrypt Staging

If you'd like to use the Let's Encrypt staging environment, eg for its less stringent rate limits, set

security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";

See also