nixos/acme: fix some descriptions, default acceptTerms to false

This commit is contained in:
Lucas Savva 2020-01-19 18:24:04 +00:00
parent 61665e3363
commit 769fbf9254
2 changed files with 34 additions and 11 deletions

View File

@ -97,18 +97,33 @@ let
'';
};
keyType = mkOption {
type = types.str;
default = "ec384";
description = ''
Key type to use for private keys.
For an up to date list of supported values check the --key-type option
at https://go-acme.github.io/lego/usage/cli/#usage.
'';
};
dnsProvider = mkOption {
type = types.nullOr types.str;
default = null;
example = "route53";
description = "DNS Challenge provider";
description = ''
DNS Challenge provider. For a list of supported providers, see the "code"
field of the DNS providers listed at https://go-acme.github.io/lego/dns/.
'';
};
credentialsFile = mkOption {
type = types.str;
type = types.path;
description = ''
File containing DNS provider credentials passed as environment variables.
See https://go-acme.github.io/lego/dns/ for more information.
Path to an EnvironmentFile for the cert's service containing any required and
optional environment variables for your selected dnsProvider.
To find out what values you need to set, consult the documentation at
https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.
'';
example = "/var/src/secrets/example.org-route53-api-token";
};
@ -117,8 +132,8 @@ let
type = types.bool;
default = true;
description = ''
Toggles LEGo DNS propagation check, which is used alongside DNS-01
challenge to ensure the DNS entries required are available
Toggles lego DNS propagation check, which is used alongside DNS-01
challenge to ensure the DNS entries required are available.
'';
};
};
@ -192,10 +207,10 @@ in
acceptTerms = mkOption {
type = types.bool;
default = true;
default = false;
description = ''
Accept the current Let's Encrypt terms of service.
See https://letsencrypt.org/repository/
Accept the CA's terms of service. The default provier is Let's Encrypt,
you can find their ToS at https://letsencrypt.org/repository/
'';
};
@ -247,6 +262,14 @@ in
`security.acme.email` to register with the CA.
'';
}
{
assertion = cfg.acceptTerms;
message = ''
You must accept the CA's terms of service before using
the ACME module by setting `security.acme.acceptTerms`
to `true`. For Let's Encrypt's ToS see https://letsencrypt.org/repository/
'';
}
];
systemd.services = let
@ -260,7 +283,7 @@ in
spath = "/var/lib/acme/.lego";
rights = if data.allowKeysForGroup then "750" else "700";
email = if data.email == null then cfg.email else data.email;
globalOpts = [ "-d" data.domain "--email" email "--path" "." ]
globalOpts = [ "-d" data.domain "--email" email "--path" "." "--key-type" data.keyType ]
++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)

View File

@ -7,7 +7,7 @@
<para>
NixOS supports automatic domain validation &amp; certificate retrieval and
renewal using the ACME protocol. This is currently only implemented by and
for Let's Encrypt. The alternative ACME client <literal>LEGo</literal> is
for Let's Encrypt. The alternative ACME client <literal>lego</literal> is
used under the hood.
</para>
<section xml:id="module-security-acme-prerequisites">