diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 11775e6aef05..36cf4f7e6817 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -97,18 +97,33 @@ let ''; }; + keyType = mkOption { + type = types.str; + default = "ec384"; + description = '' + Key type to use for private keys. + For an up to date list of supported values check the --key-type option + at https://go-acme.github.io/lego/usage/cli/#usage. + ''; + }; + dnsProvider = mkOption { type = types.nullOr types.str; default = null; example = "route53"; - description = "DNS Challenge provider"; + description = '' + DNS Challenge provider. For a list of supported providers, see the "code" + field of the DNS providers listed at https://go-acme.github.io/lego/dns/. + ''; }; credentialsFile = mkOption { - type = types.str; + type = types.path; description = '' - File containing DNS provider credentials passed as environment variables. - See https://go-acme.github.io/lego/dns/ for more information. + Path to an EnvironmentFile for the cert's service containing any required and + optional environment variables for your selected dnsProvider. + To find out what values you need to set, consult the documentation at + https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider. ''; example = "/var/src/secrets/example.org-route53-api-token"; }; @@ -117,8 +132,8 @@ let type = types.bool; default = true; description = '' - Toggles LEGo DNS propagation check, which is used alongside DNS-01 - challenge to ensure the DNS entries required are available + Toggles lego DNS propagation check, which is used alongside DNS-01 + challenge to ensure the DNS entries required are available. ''; }; }; @@ -192,10 +207,10 @@ in acceptTerms = mkOption { type = types.bool; - default = true; + default = false; description = '' - Accept the current Let's Encrypt terms of service. - See https://letsencrypt.org/repository/ + Accept the CA's terms of service. The default provier is Let's Encrypt, + you can find their ToS at https://letsencrypt.org/repository/ ''; }; @@ -247,6 +262,14 @@ in `security.acme.email` to register with the CA. ''; } + { + assertion = cfg.acceptTerms; + message = '' + You must accept the CA's terms of service before using + the ACME module by setting `security.acme.acceptTerms` + to `true`. For Let's Encrypt's ToS see https://letsencrypt.org/repository/ + ''; + } ]; systemd.services = let @@ -260,7 +283,7 @@ in spath = "/var/lib/acme/.lego"; rights = if data.allowKeysForGroup then "750" else "700"; email = if data.email == null then cfg.email else data.email; - globalOpts = [ "-d" data.domain "--email" email "--path" "." ] + globalOpts = [ "-d" data.domain "--email" email "--path" "." "--key-type" data.keyType ] ++ optionals (cfg.acceptTerms) [ "--accept-tos" ] ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ] ++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains) diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 963ac7a97c33..2b29c1174845 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -7,7 +7,7 @@ NixOS supports automatic domain validation & certificate retrieval and renewal using the ACME protocol. This is currently only implemented by and - for Let's Encrypt. The alternative ACME client LEGo is + for Let's Encrypt. The alternative ACME client lego is used under the hood.