diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security/acme.xml')
-rw-r--r-- | nixpkgs/nixos/modules/security/acme.xml | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/nixpkgs/nixos/modules/security/acme.xml b/nixpkgs/nixos/modules/security/acme.xml index f24811291728..a78ff05f2eaa 100644 --- a/nixpkgs/nixos/modules/security/acme.xml +++ b/nixpkgs/nixos/modules/security/acme.xml @@ -115,15 +115,18 @@ services.nginx = { <programlisting> <xref linkend="opt-security.acme.acceptTerms" /> = true; <xref linkend="opt-security.acme.email" /> = "admin+acme@example.com"; + +# /var/lib/acme/.challenges must be writable by the ACME user +# and readable by the Nginx user. The easiest way to achieve +# this is to add the Nginx user to the ACME group. +<link linkend="opt-users.users._name_.extraGroups">users.users.nginx.extraGroups</link> = [ "acme" ]; + services.nginx = { <link linkend="opt-services.nginx.enable">enable</link> = true; <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { "acmechallenge.example.com" = { # Catchall vhost, will redirect users to HTTPS for all vhosts <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "*.example.com" ]; - # /var/lib/acme/.challenges must be writable by the ACME user - # and readable by the Nginx user. - # By default, this is the case. locations."/.well-known/acme-challenge" = { <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/lib/acme/.challenges"; }; @@ -134,6 +137,7 @@ services.nginx = { }; } # Alternative config for Apache +<link linkend="opt-users.users._name_.extraGroups">users.users.wwwrun.extraGroups</link> = [ "acme" ]; services.httpd = { <link linkend="opt-services.httpd.enable">enable = true;</link> <link linkend="opt-services.httpd.virtualHosts">virtualHosts</link> = { @@ -162,6 +166,9 @@ services.httpd = { <xref linkend="opt-security.acme.certs"/>."foo.example.com" = { <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges"; <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com"; + # Ensure that the web server you use can read the generated certs + # Take a look at the <link linkend="opt-services.nginx.group">group</link> option for the web server you choose. + <link linkend="opt-security.acme.certs._name_.group">group</link> = "nginx"; # Since we have a wildcard vhost to handle port 80, # we can generate certs for anything! # Just make sure your DNS resolves them. @@ -257,10 +264,11 @@ chmod 400 /var/lib/secrets/certs.secret <para> Should you need to regenerate a particular certificate in a hurry, such as when a vulnerability is found in Let's Encrypt, there is now a convenient - mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal> - will remove all certificate files for the given domain, allowing you to then - <literal>systemctl start acme-example.com.service</literal> to generate fresh - ones. + mechanism for doing so. Running + <literal>systemctl clean --what=state acme-example.com.service</literal> + will remove all certificate files and the account data for the given domain, + allowing you to then <literal>systemctl start acme-example.com.service</literal> + to generate fresh ones. </para> </section> <section xml:id="module-security-acme-fix-jws"> |