pyrox.dev
1<chapter xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="module-security-acme">
6
7<title>SSL/TLS Certificates with ACME</title>
8
9<para>NixOS supports automatic domain validation & certificate
10retrieval and renewal using the ACME protocol. This is currently only
11implemented by and for Let's Encrypt. The alternative ACME client
12<literal>simp_le</literal> is used under the hood.</para>
13
14<section xml:id="module-security-acme-prerequisites"><title>Prerequisites</title>
15
16<para>You need to have a running HTTP server for verification. The server must
17have a webroot defined that can serve
18<filename>.well-known/acme-challenge</filename>. This directory must be
19writeable by the user that will run the ACME client.</para>
20
21<para>For instance, this generic snippet could be used for Nginx:
22
23<programlisting>
24http {
25 server {
26 server_name _;
27 listen 80;
28 listen [::]:80;
29
30 location /.well-known/acme-challenge {
31 root /var/www/challenges;
32 }
33
34 location / {
35 return 301 https://$host$request_uri;
36 }
37 }
38}
39</programlisting>
40</para>
41
42</section>
43
44<section xml:id="module-security-acme-configuring"><title>Configuring</title>
45
46<para>To enable ACME certificate retrieval & renewal for a certificate for
47<literal>foo.example.com</literal>, add the following in your
48<filename>configuration.nix</filename>:
49
50<programlisting>
51<xref linkend="opt-security.acme.certs"/>."foo.example.com" = {
52 <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/challenges";
53 <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com";
54};
55</programlisting>
56</para>
57
58<para>The private key <filename>key.pem</filename> and certificate
59<filename>fullchain.pem</filename> will be put into
60<filename>/var/lib/acme/foo.example.com</filename>. The target directory can
61be configured with the option <xref linkend="opt-security.acme.directory"/>.
62</para>
63
64<para>Refer to <xref linkend="ch-options" /> for all available configuration
65options for the <link linkend="opt-security.acme.certs">security.acme</link> module.</para>
66
67</section>
68
69<section xml:id="module-security-acme-nginx"><title>Using ACME certificates in Nginx</title>
70<para>NixOS supports fetching ACME certificates for you by setting
71 <literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;</literal> in a virtualHost config. We
72first create self-signed placeholder certificates in place of the
73real ACME certs. The placeholder certs are overwritten when the ACME
74certs arrive. For <literal>foo.example.com</literal> the config would
75look like.
76</para>
77
78<programlisting>
79services.nginx = {
80 <link linkend="opt-services.nginx.enable">enable = true;</link>
81 <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
82 "foo.example.com" = {
83 <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
84 <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
85 locations."/" = {
86 <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www";
87 };
88 };
89 };
90}
91</programlisting>
92</section>
93</chapter>