nixos docs: update for Nginx + ACME (#21320)

pyrox.dev / nixpkgs

fork atom

lol

fork atom

Closes #20698.

authored by

teh and committed by

Franz Pletz 9 years ago a878365b 1753d8c8

+20 -42

1 changed file

expand all

nixos

modules

security

acme.xml

+20 -42

nixos/modules/security/acme.xml

··· 67 67 </section> 68 68 69 69 <section><title>Using ACME certificates in Nginx</title> 70 - <para>In practice ACME is mostly used for retrieval and renewal of 71 - certificates that will be used in a webserver like Nginx. A configuration for 72 - Nginx that uses the certificates from ACME for 73 - <literal>foo.example.com</literal> will look similar to: 70 + <para>NixOS supports fetching ACME certificates for you by setting 71 + <literal>enableACME = true;</literal> in a virtualHost config. We 72 + first create self-signed placeholder certificates in place of the 73 + real ACME certs. The placeholder certs are overwritten when the ACME 74 + certs arrive. For <literal>foo.example.com</literal> the config would 75 + look like. 74 76 </para> 75 77 76 78 <programlisting> 77 - security.acme.certs."foo.example.com" = { 78 - webroot = config.security.acme.directory + "/acme-challenge"; 79 - email = "foo@example.com"; 80 - user = "nginx"; 81 - group = "nginx"; 82 - postRun = "systemctl restart nginx.service"; 83 - }; 84 - services.nginx.httpConfig = '' 85 - server { 86 - server_name foo.example.com; 87 - listen 80; 88 - listen [::]:80; 89 - 90 - location /.well-known/acme-challenge { 91 - root /var/www/challenges; 92 - } 93 - 94 - location / { 95 - return 301 https://$host$request_uri; 96 - } 97 - } 98 - 99 - server { 100 - server_name foo.example.com; 101 - listen 443 ssl; 102 - ssl_certificate ${config.security.acme.directory}/foo.example.com/fullchain.pem; 103 - ssl_certificate_key ${config.security.acme.directory}/foo.example.com/key.pem; 104 - root /var/www/foo.example.com/; 105 - } 106 - ''; 79 + services.nginx = { 80 + enable = true; 81 + virtualHosts = { 82 + "foo.example.com" = { 83 + forceSSL = true; 84 + enableACME = true; 85 + locations."/" = { 86 + root = "/var/www"; 87 + }; 88 + }; 89 + }; 90 + } 107 91 </programlisting> 108 92 109 - <para>Now Nginx will try to use the certificates that will be retrieved by ACME. 110 - ACME needs Nginx (or any other webserver) to function and Nginx needs 111 - the certificates to actually start. For this reason the ACME module 112 - automatically generates self-signed certificates that will be used by Nginx to 113 - start. After that Nginx is used by ACME to retrieve the actual ACME 114 - certificates. <literal>security.acme.preliminarySelfsigned</literal> can be 115 - used to control whether to generate the self-signed certificates. 116 - </para> 93 + <para>At the moment you still have to restart Nginx after the ACME 94 + certs arrive.</para> 117 95 </section> 118 96 </chapter>