diff --git a/nixos/doc/manual/configuration/configuration.xml b/nixos/doc/manual/configuration/configuration.xml
index afffd60bc48..1e488b59343 100644
--- a/nixos/doc/manual/configuration/configuration.xml
+++ b/nixos/doc/manual/configuration/configuration.xml
@@ -26,6 +26,7 @@ effect after you run nixos-rebuild.
+
diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix
index 844cba57cd8..bd558dac971 100644
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@@ -55,6 +55,7 @@ let
cp -prd $sources/* . # */
chmod -R u+w .
cp ${../../modules/services/databases/postgresql.xml} configuration/postgresql.xml
+ cp ${../../modules/security/acme.xml} configuration/acme.xml
cp ${../../modules/misc/nixos.xml} configuration/nixos.xml
ln -s ${optionsDocBook} options-db.xml
echo "${version}" > version
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 37de46cb1a5..8f3a2ee073b 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -131,67 +131,72 @@ in
};
###### implementation
- config = mkIf (cfg.certs != { }) {
+ config = mkMerge [
+ (mkIf (cfg.certs != { }) {
- systemd.services = flip mapAttrs' cfg.certs (cert: data:
- let
- cpath = "${cfg.directory}/${cert}";
- cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
- ++ optionals (data.email != null) [ "--email" data.email ]
- ++ concatMap (p: [ "-f" p ]) data.plugins
- ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
+ systemd.services = flip mapAttrs' cfg.certs (cert: data:
+ let
+ cpath = "${cfg.directory}/${cert}";
+ cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
+ ++ optionals (data.email != null) [ "--email" data.email ]
+ ++ concatMap (p: [ "-f" p ]) data.plugins
+ ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
- in nameValuePair
- ("acme-${cert}")
- ({
- description = "ACME cert renewal for ${cert} using simp_le";
- after = [ "network.target" ];
- serviceConfig = {
- Type = "oneshot";
- SuccessExitStatus = [ "0" "1" ];
- PermissionsStartOnly = true;
- User = data.user;
- Group = data.group;
- PrivateTmp = true;
- };
- path = [ pkgs.simp_le ];
- preStart = ''
- mkdir -p '${cfg.directory}'
- if [ ! -d '${cpath}' ]; then
- mkdir -m 700 '${cpath}'
- chown '${data.user}:${data.group}' '${cpath}'
- fi
- '';
- script = ''
- cd '${cpath}'
- set +e
- simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}
- EXITCODE=$?
- set -e
- echo "$EXITCODE" > /tmp/lastExitCode
- exit "$EXITCODE"
- '';
- postStop = ''
- if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
- echo "Executing postRun hook..."
- ${data.postRun}
- fi
- '';
- })
- );
+ in nameValuePair
+ ("acme-${cert}")
+ ({
+ description = "ACME cert renewal for ${cert} using simp_le";
+ after = [ "network.target" ];
+ serviceConfig = {
+ Type = "oneshot";
+ SuccessExitStatus = [ "0" "1" ];
+ PermissionsStartOnly = true;
+ User = data.user;
+ Group = data.group;
+ PrivateTmp = true;
+ };
+ path = [ pkgs.simp_le ];
+ preStart = ''
+ mkdir -p '${cfg.directory}'
+ if [ ! -d '${cpath}' ]; then
+ mkdir -m 700 '${cpath}'
+ chown '${data.user}:${data.group}' '${cpath}'
+ fi
+ '';
+ script = ''
+ cd '${cpath}'
+ set +e
+ simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}
+ EXITCODE=$?
+ set -e
+ echo "$EXITCODE" > /tmp/lastExitCode
+ exit "$EXITCODE"
+ '';
+ postStop = ''
+ if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
+ echo "Executing postRun hook..."
+ ${data.postRun}
+ fi
+ '';
+ })
+ );
- systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
- ("acme-${cert}")
- ({
- description = "timer for ACME cert renewal of ${cert}";
- wantedBy = [ "timers.target" ];
- timerConfig = {
- OnCalendar = cfg.renewInterval;
- Unit = "acme-simp_le-${cert}.service";
- };
- })
- );
+ systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
+ ("acme-${cert}")
+ ({
+ description = "timer for ACME cert renewal of ${cert}";
+ wantedBy = [ "timers.target" ];
+ timerConfig = {
+ OnCalendar = cfg.renewInterval;
+ Unit = "acme-simp_le-${cert}.service";
+ };
+ })
+ );
+ })
- };
+ { meta.maintainers = with lib.maintainers; [ abbradar fpletz globin ];
+ meta.doc = ./acme.xml;
+ }
+ ];
}
diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml
new file mode 100644
index 00000000000..e32fa72c939
--- /dev/null
+++ b/nixos/modules/security/acme.xml
@@ -0,0 +1,69 @@
+
+
+SSL/TLS Certificates with ACME
+
+NixOS supports automatic domain validation & certificate
+retrieval and renewal using the ACME protocol. This is currently only
+implemented by and for Let's Encrypt. The alternative ACME client
+simp_le is used under the hood.
+
+Prerequisites
+
+You need to have a running HTTP server for verification. The server must
+have a webroot defined that can serve
+.well-known/acme-challenge. This directory must be
+writeable by the user that will run the ACME client.
+
+For instance, this generic snippet could be used for Nginx:
+
+
+http {
+ server {
+ server_name _;
+ listen 80;
+ listen [::]:80;
+
+ location /.well-known/acme-challenge {
+ root /var/www/challenges;
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+ }
+}
+
+
+
+
+
+Configuring
+
+To enable ACME certificate retrieval & renewal for a certificate for
+foo.example.com, add the following in your
+configuration.nix:
+
+
+security.acme.certs."foo.example.com" = {
+ webroot = "/var/www/challenges";
+ email = "foo@example.com";
+};
+
+
+
+The private key key.pem and certificate
+fullchain.pem will be put into
+/var/lib/acme/foo.example.com. The target directory can
+be configured with the option security.acme.directory.
+
+
+Refer to for all available configuration
+options for the security.acme module.
+
+
+
+