nixos/acme: fix some descriptions, default acceptTerms to false
This commit is contained in:
parent
61665e3363
commit
769fbf9254
@ -97,18 +97,33 @@ let
|
||||
'';
|
||||
};
|
||||
|
||||
keyType = mkOption {
|
||||
type = types.str;
|
||||
default = "ec384";
|
||||
description = ''
|
||||
Key type to use for private keys.
|
||||
For an up to date list of supported values check the --key-type option
|
||||
at https://go-acme.github.io/lego/usage/cli/#usage.
|
||||
'';
|
||||
};
|
||||
|
||||
dnsProvider = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "route53";
|
||||
description = "DNS Challenge provider";
|
||||
description = ''
|
||||
DNS Challenge provider. For a list of supported providers, see the "code"
|
||||
field of the DNS providers listed at https://go-acme.github.io/lego/dns/.
|
||||
'';
|
||||
};
|
||||
|
||||
credentialsFile = mkOption {
|
||||
type = types.str;
|
||||
type = types.path;
|
||||
description = ''
|
||||
File containing DNS provider credentials passed as environment variables.
|
||||
See https://go-acme.github.io/lego/dns/ for more information.
|
||||
Path to an EnvironmentFile for the cert's service containing any required and
|
||||
optional environment variables for your selected dnsProvider.
|
||||
To find out what values you need to set, consult the documentation at
|
||||
https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.
|
||||
'';
|
||||
example = "/var/src/secrets/example.org-route53-api-token";
|
||||
};
|
||||
@ -117,8 +132,8 @@ let
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Toggles LEGo DNS propagation check, which is used alongside DNS-01
|
||||
challenge to ensure the DNS entries required are available
|
||||
Toggles lego DNS propagation check, which is used alongside DNS-01
|
||||
challenge to ensure the DNS entries required are available.
|
||||
'';
|
||||
};
|
||||
};
|
||||
@ -192,10 +207,10 @@ in
|
||||
|
||||
acceptTerms = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
default = false;
|
||||
description = ''
|
||||
Accept the current Let's Encrypt terms of service.
|
||||
See https://letsencrypt.org/repository/
|
||||
Accept the CA's terms of service. The default provier is Let's Encrypt,
|
||||
you can find their ToS at https://letsencrypt.org/repository/
|
||||
'';
|
||||
};
|
||||
|
||||
@ -247,6 +262,14 @@ in
|
||||
`security.acme.email` to register with the CA.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = cfg.acceptTerms;
|
||||
message = ''
|
||||
You must accept the CA's terms of service before using
|
||||
the ACME module by setting `security.acme.acceptTerms`
|
||||
to `true`. For Let's Encrypt's ToS see https://letsencrypt.org/repository/
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
systemd.services = let
|
||||
@ -260,7 +283,7 @@ in
|
||||
spath = "/var/lib/acme/.lego";
|
||||
rights = if data.allowKeysForGroup then "750" else "700";
|
||||
email = if data.email == null then cfg.email else data.email;
|
||||
globalOpts = [ "-d" data.domain "--email" email "--path" "." ]
|
||||
globalOpts = [ "-d" data.domain "--email" email "--path" "." "--key-type" data.keyType ]
|
||||
++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
|
||||
++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
|
||||
++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
|
||||
|
@ -7,7 +7,7 @@
|
||||
<para>
|
||||
NixOS supports automatic domain validation & certificate retrieval and
|
||||
renewal using the ACME protocol. This is currently only implemented by and
|
||||
for Let's Encrypt. The alternative ACME client <literal>LEGo</literal> is
|
||||
for Let's Encrypt. The alternative ACME client <literal>lego</literal> is
|
||||
used under the hood.
|
||||
</para>
|
||||
<section xml:id="module-security-acme-prerequisites">
|
||||
|
Loading…
Reference in New Issue
Block a user