commit 1685b9d06ebe93eaaed478bde02db813fc39e4b2 · pyrox.dev/nixpkgs

nixos/doc/manual/configuration/configuration.xml

···

       26
        
       

     

       27
        
       <!-- FIXME: auto-include NixOS module docs -->

     

       28
        
       <xi:include href="postgresql.xml" />

     

       0
        
       
     

       29
        
       <xi:include href="nixos.xml" />

     

       30
        
       

     

       31
        
       <!-- Apache; libvirtd virtualisation -->

···

       26
        
       

     

       27
        
       <!-- FIXME: auto-include NixOS module docs -->

     

       28
        
       <xi:include href="postgresql.xml" />

     

       29
       +
       <xi:include href="acme.xml" />

     

       30
        
       <xi:include href="nixos.xml" />

     

       31
        
       

     

       32
        
       <!-- Apache; libvirtd virtualisation -->

nixos/doc/manual/default.nix

···

       55
        
             cp -prd $sources/* . # */

     

       56
        
             chmod -R u+w .

     

       57
        
             cp ${../../modules/services/databases/postgresql.xml} configuration/postgresql.xml

     

       0
        
       
     

       58
        
             cp ${../../modules/misc/nixos.xml} configuration/nixos.xml

     

       59
        
             ln -s ${optionsDocBook} options-db.xml

     

       60
        
             echo "${version}" > version

···

       55
        
             cp -prd $sources/* . # */

     

       56
        
             chmod -R u+w .

     

       57
        
             cp ${../../modules/services/databases/postgresql.xml} configuration/postgresql.xml

     

       58
       +
             cp ${../../modules/security/acme.xml} configuration/acme.xml

     

       59
        
             cp ${../../modules/misc/nixos.xml} configuration/nixos.xml

     

       60
        
             ln -s ${optionsDocBook} options-db.xml

     

       61
        
             echo "${version}" > version

+63 -58

nixos/modules/security/acme.nix

···

       131
        
         };

     

       132
        
       

     

       133
        
         ###### implementation

     

       134
       -
         config = mkIf (cfg.certs != { }) {

     

       0
        
       
     

       135
        
       

     

       136
       -
           systemd.services = flip mapAttrs' cfg.certs (cert: data:

     

       137
       -
             let

     

       138
       -
               cpath = "${cfg.directory}/${cert}";

     

       139
       -
               cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]

     

       140
       -
                         ++ optionals (data.email != null) [ "--email" data.email ]

     

       141
       -
                         ++ concatMap (p: [ "-f" p ]) data.plugins

     

       142
       -
                         ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);

     

       143
        
       

     

       144
       -
             in nameValuePair

     

       145
       -
             ("acme-${cert}")

     

       146
       -
             ({

     

       147
       -
               description = "ACME cert renewal for ${cert} using simp_le";

     

       148
       -
               after = [ "network.target" ];

     

       149
       -
               serviceConfig = {

     

       150
       -
                 Type = "oneshot";

     

       151
       -
                 SuccessExitStatus = [ "0" "1" ];

     

       152
       -
                 PermissionsStartOnly = true;

     

       153
       -
                 User = data.user;

     

       154
       -
                 Group = data.group;

     

       155
       -
                 PrivateTmp = true;

     

       156
       -
               };

     

       157
       -
               path = [ pkgs.simp_le ];

     

       158
       -
               preStart = ''

     

       159
       -
                 mkdir -p '${cfg.directory}'

     

       160
       -
                 if [ ! -d '${cpath}' ]; then

     

       161
       -
                   mkdir -m 700 '${cpath}'

     

       162
       -
                   chown '${data.user}:${data.group}' '${cpath}'

     

       163
       -
                 fi

     

       164
       -
               '';

     

       165
       -
               script = ''

     

       166
       -
                 cd '${cpath}'

     

       167
       -
                 set +e

     

       168
       -
                 simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}

     

       169
       -
                 EXITCODE=$?

     

       170
       -
                 set -e

     

       171
       -
                 echo "$EXITCODE" > /tmp/lastExitCode

     

       172
       -
                 exit "$EXITCODE"

     

       173
       -
               '';

     

       174
       -
               postStop = ''

     

       175
       -
                 if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then

     

       176
       -
                   echo "Executing postRun hook..."

     

       177
       -
                   ${data.postRun}

     

       178
       -
                 fi

     

       179
       -
               '';

     

       180
       -
             })

     

       181
       -
           );

     

       182
        
       

     

       183
       -
           systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair

     

       184
       -
             ("acme-${cert}")

     

       185
       -
             ({

     

       186
       -
               description = "timer for ACME cert renewal of ${cert}";

     

       187
       -
               wantedBy = [ "timers.target" ];

     

       188
       -
               timerConfig = {

     

       189
       -
                 OnCalendar = cfg.renewInterval;

     

       190
       -
                 Unit = "acme-simp_le-${cert}.service";

     

       191
       -
               };

     

       192
       -
             })

     

       193
       -
           );

     

       0
        
       
     

       194
        
       

     

       195
       -
         };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       196
        
       

     

       197
        
       }

···

       131
        
         };

     

       132
        
       

     

       133
        
         ###### implementation

     

       134
       +
         config = mkMerge [

     

       135
       +
           (mkIf (cfg.certs != { }) {

     

       136
        
       

     

       137
       +
             systemd.services = flip mapAttrs' cfg.certs (cert: data:

     

       138
       +
               let

     

       139
       +
                 cpath = "${cfg.directory}/${cert}";

     

       140
       +
                 cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]

     

       141
       +
                           ++ optionals (data.email != null) [ "--email" data.email ]

     

       142
       +
                           ++ concatMap (p: [ "-f" p ]) data.plugins

     

       143
       +
                           ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);

     

       144
        
       

     

       145
       +
               in nameValuePair

     

       146
       +
               ("acme-${cert}")

     

       147
       +
               ({

     

       148
       +
                 description = "ACME cert renewal for ${cert} using simp_le";

     

       149
       +
                 after = [ "network.target" ];

     

       150
       +
                 serviceConfig = {

     

       151
       +
                   Type = "oneshot";

     

       152
       +
                   SuccessExitStatus = [ "0" "1" ];

     

       153
       +
                   PermissionsStartOnly = true;

     

       154
       +
                   User = data.user;

     

       155
       +
                   Group = data.group;

     

       156
       +
                   PrivateTmp = true;

     

       157
       +
                 };

     

       158
       +
                 path = [ pkgs.simp_le ];

     

       159
       +
                 preStart = ''

     

       160
       +
                   mkdir -p '${cfg.directory}'

     

       161
       +
                   if [ ! -d '${cpath}' ]; then

     

       162
       +
                     mkdir -m 700 '${cpath}'

     

       163
       +
                     chown '${data.user}:${data.group}' '${cpath}'

     

       164
       +
                   fi

     

       165
       +
                 '';

     

       166
       +
                 script = ''

     

       167
       +
                   cd '${cpath}'

     

       168
       +
                   set +e

     

       169
       +
                   simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}

     

       170
       +
                   EXITCODE=$?

     

       171
       +
                   set -e

     

       172
       +
                   echo "$EXITCODE" > /tmp/lastExitCode

     

       173
       +
                   exit "$EXITCODE"

     

       174
       +
                 '';

     

       175
       +
                 postStop = ''

     

       176
       +
                   if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then

     

       177
       +
                     echo "Executing postRun hook..."

     

       178
       +
                     ${data.postRun}

     

       179
       +
                   fi

     

       180
       +
                 '';

     

       181
       +
               })

     

       182
       +
             );

     

       183
        
       

     

       184
       +
             systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair

     

       185
       +
               ("acme-${cert}")

     

       186
       +
               ({

     

       187
       +
                 description = "timer for ACME cert renewal of ${cert}";

     

       188
       +
                 wantedBy = [ "timers.target" ];

     

       189
       +
                 timerConfig = {

     

       190
       +
                   OnCalendar = cfg.renewInterval;

     

       191
       +
                   Unit = "acme-simp_le-${cert}.service";

     

       192
       +
                 };

     

       193
       +
               })

     

       194
       +
             );

     

       195
       +
           })

     

       196
        
       

     

       197
       +
           { meta.maintainers = with lib.maintainers; [ abbradar fpletz globin ];

     

       198
       +
             meta.doc = ./acme.xml;

     

       199
       +
           }

     

       200
       +
         ];

     

       201
        
       

     

       202
        
       }

+69

nixos/modules/security/acme.xml

···

       1
       +
       <chapter xmlns="http://docbook.org/ns/docbook"

     

       2
       +
                xmlns:xlink="http://www.w3.org/1999/xlink"

     

       3
       +
                xmlns:xi="http://www.w3.org/2001/XInclude"

     

       4
       +
                version="5.0"

     

       5
       +
                xml:id="module-security-acme">

     

       6
       +
       

     

       7
       +
       <title>SSL/TLS Certificates with ACME</title>

     

       8
       +
       

     

       9
       +
       <para>NixOS supports automatic domain validation &amp; certificate

     

       10
       +
       retrieval and renewal using the ACME protocol. This is currently only

     

       11
       +
       implemented by and for Let's Encrypt. The alternative ACME client

     

       12
       +
       <literal>simp_le</literal> is used under the hood.</para>

     

       13
       +
       

     

       14
       +
       <section><title>Prerequisites</title>

     

       15
       +
       

     

       16
       +
       <para>You need to have a running HTTP server for verification. The server must

     

       17
       +
       have a webroot defined that can serve

     

       18
       +
       <filename>.well-known/acme-challenge</filename>. This directory must be

     

       19
       +
       writeable by the user that will run the ACME client.</para>

     

       20
       +
       

     

       21
       +
       <para>For instance, this generic snippet could be used for Nginx:

     

       22
       +
       

     

       23
       +
       <programlisting>

     

       24
       +
       http {

     

       25
       +
         server {

     

       26
       +
           server_name _;

     

       27
       +
           listen 80;

     

       28
       +
           listen [::]:80;

     

       29
       +
       

     

       30
       +
           location /.well-known/acme-challenge {

     

       31
       +
             root /var/www/challenges;

     

       32
       +
           }

     

       33
       +
       

     

       34
       +
           location / {

     

       35
       +
             return 301 https://$host$request_uri;

     

       36
       +
           }

     

       37
       +
         }

     

       38
       +
       }

     

       39
       +
       </programlisting>

     

       40
       +
       </para>

     

       41
       +
       

     

       42
       +
       </section>

     

       43
       +
       

     

       44
       +
       <section><title>Configuring</title>

     

       45
       +
       

     

       46
       +
       <para>To enable ACME certificate retrieval &amp; renewal for a certificate for

     

       47
       +
       <literal>foo.example.com</literal>, add the following in your

     

       48
       +
       <filename>configuration.nix</filename>:

     

       49
       +
       

     

       50
       +
       <programlisting>

     

       51
       +
       security.acme.certs."foo.example.com" = {

     

       52
       +
         webroot = "/var/www/challenges";

     

       53
       +
         email = "foo@example.com";

     

       54
       +
       };

     

       55
       +
       </programlisting>

     

       56
       +
       </para>

     

       57
       +
       

     

       58
       +
       <para>The private key <filename>key.pem</filename> and certificate

     

       59
       +
       <filename>fullchain.pem</filename> will be put into

     

       60
       +
       <filename>/var/lib/acme/foo.example.com</filename>. The target directory can

     

       61
       +
       be configured with the option <literal>security.acme.directory</literal>.

     

       62
       +
       </para>

     

       63
       +
       

     

       64
       +
       <para>Refer to <xref linkend="ch-options" /> for all available configuration

     

       65
       +
       options for the <literal>security.acme</literal> module.</para>

     

       66
       +
       

     

       67
       +
       </section>

     

       68
       +
       

     

       69
       +
       </chapter>