MirrorHub/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-16 23:03:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge pull request #270224 from SuperSandro2000/patch-2

Browse source 
nixos/acme: add syntax highlighting to code blocks
This commit is contained in:
pennae 2023-12-11 09:03:32 +01:00 committed by GitHub
commit 90c53f5341
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
nixos/modules/security/acme/default.md
View file

@ -45,7 +45,7 @@ placeholder certificates in place of the real ACME certs. The placeholder
certs are overwritten when the ACME certs arrive. For
`foo.example.com` the config would look like this:
```
```nix
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin+acme@example.com";
services.nginx = {
@ -88,7 +88,7 @@ This example uses a vhost called `certs.example.com`, with
the intent that you will generate certs for all your vhosts and redirect
everyone to HTTPS.
```
```nix
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin+acme@example.com";
@ -136,7 +136,7 @@ services.httpd = {
Now you need to configure ACME to generate a certificate.
```
```nix
security.acme.certs."foo.example.com" = {
webroot = "/var/lib/acme/.challenges";
email = "foo@example.com";
@ -167,7 +167,7 @@ see the [lego docs](https://go-acme.github.io/lego/dns/)
for provider/server specific configuration values. For the sake of these
docs, we will provide a fully self-hosted example using bind.
```
```nix
services.bind = {
enable = true;
extraConfig = ''
@ -199,7 +199,7 @@ The {file}`dnskeys.conf` and {file}`certs.secret`
must be kept secure and thus you should not keep their contents in your
Nix config. Instead, generate them one time with a systemd service:
```
```nix
systemd.services.dns-rfc2136-conf = {
requiredBy = ["acme-example.com.service" "bind.service"];
before = ["acme-example.com.service" "bind.service"];
@ -250,7 +250,7 @@ first, however instead of setting the options for one certificate
you will set them as defaults
(e.g. [](#opt-security.acme.defaults.dnsProvider)).
```
```nix
# Configure ACME appropriately
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin+acme@example.com";
@ -287,7 +287,7 @@ There is no way to change the user the ACME module uses (it will always be
Below is an example configuration for OpenSMTPD, but this pattern
can be applied to any service.
```
```nix
# Configure ACME however you like (DNS or HTTP validation), adding
# the following configuration for the relevant certificate.
# Note: You cannot use `systemctl reload` here as that would mean
@ -340,7 +340,7 @@ to be regenerated. In this scenario lego will produce the error `JWS verificatio
The solution is to simply delete the associated accounts file and
re-run the affected service(s).
```
```shell
# Find the accounts folder for the certificate
systemctl cat acme-example.com.service | grep -Po 'accounts/[^:]*'
export accountdir="$(!!)"