diff options
author | pennae <82953136+pennae@users.noreply.github.com> | 2023-12-11 09:03:32 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-12-11 09:03:32 +0100 |
commit | 90c53f5341e83ed4f0505c0ec4f3775b1751d6f7 (patch) | |
tree | 8d83f8f452a3c73f48487f3e30750186a07efebb /nixos/modules | |
parent | 3de3f7d87956a2dba7506b65e1c6709e3d6cb377 (diff) | |
parent | 5a64fb279993d632a4866c16e26aa14e5769d903 (diff) | |
download | nixlib-90c53f5341e83ed4f0505c0ec4f3775b1751d6f7.tar nixlib-90c53f5341e83ed4f0505c0ec4f3775b1751d6f7.tar.gz nixlib-90c53f5341e83ed4f0505c0ec4f3775b1751d6f7.tar.bz2 nixlib-90c53f5341e83ed4f0505c0ec4f3775b1751d6f7.tar.lz nixlib-90c53f5341e83ed4f0505c0ec4f3775b1751d6f7.tar.xz nixlib-90c53f5341e83ed4f0505c0ec4f3775b1751d6f7.tar.zst nixlib-90c53f5341e83ed4f0505c0ec4f3775b1751d6f7.zip |
Merge pull request #270224 from SuperSandro2000/patch-2
nixos/acme: add syntax highlighting to code blocks
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/security/acme/default.md | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/nixos/modules/security/acme/default.md b/nixos/modules/security/acme/default.md index 31548ad181a7..51ee0428d84e 100644 --- a/nixos/modules/security/acme/default.md +++ b/nixos/modules/security/acme/default.md @@ -45,7 +45,7 @@ placeholder certificates in place of the real ACME certs. The placeholder certs are overwritten when the ACME certs arrive. For `foo.example.com` the config would look like this: -``` +```nix security.acme.acceptTerms = true; security.acme.defaults.email = "admin+acme@example.com"; services.nginx = { @@ -88,7 +88,7 @@ This example uses a vhost called `certs.example.com`, with the intent that you will generate certs for all your vhosts and redirect everyone to HTTPS. -``` +```nix security.acme.acceptTerms = true; security.acme.defaults.email = "admin+acme@example.com"; @@ -136,7 +136,7 @@ services.httpd = { Now you need to configure ACME to generate a certificate. -``` +```nix security.acme.certs."foo.example.com" = { webroot = "/var/lib/acme/.challenges"; email = "foo@example.com"; @@ -167,7 +167,7 @@ see the [lego docs](https://go-acme.github.io/lego/dns/) for provider/server specific configuration values. For the sake of these docs, we will provide a fully self-hosted example using bind. -``` +```nix services.bind = { enable = true; extraConfig = '' @@ -199,7 +199,7 @@ The {file}`dnskeys.conf` and {file}`certs.secret` must be kept secure and thus you should not keep their contents in your Nix config. Instead, generate them one time with a systemd service: -``` +```nix systemd.services.dns-rfc2136-conf = { requiredBy = ["acme-example.com.service" "bind.service"]; before = ["acme-example.com.service" "bind.service"]; @@ -250,7 +250,7 @@ first, however instead of setting the options for one certificate you will set them as defaults (e.g. [](#opt-security.acme.defaults.dnsProvider)). -``` +```nix # Configure ACME appropriately security.acme.acceptTerms = true; security.acme.defaults.email = "admin+acme@example.com"; @@ -287,7 +287,7 @@ There is no way to change the user the ACME module uses (it will always be Below is an example configuration for OpenSMTPD, but this pattern can be applied to any service. -``` +```nix # Configure ACME however you like (DNS or HTTP validation), adding # the following configuration for the relevant certificate. # Note: You cannot use `systemctl reload` here as that would mean @@ -340,7 +340,7 @@ to be regenerated. In this scenario lego will produce the error `JWS verificatio The solution is to simply delete the associated accounts file and re-run the affected service(s). -``` +```shell # Find the accounts folder for the certificate systemctl cat acme-example.com.service | grep -Po 'accounts/[^:]*' export accountdir="$(!!)" |