summaryrefslogtreecommitdiffstats
path: root/ACME.md
blob: 88de3370139be821271b3e375492428bfbffae57 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# ACME/SSL

we now have our own letsencrypt-like service for internal certificates:

## howto trust the CA
```
security.pki.certificateFiles = [(pkgs.fetchurl {
 url = "http://ca.r/ca.crt"; # can be also downloaded from some other location like github/cgit
 sha256 = "sha256-tEp7OCiFx+6CFj5WzNym7wiBfWfyioeyQLLndf6glDQ=";
})]
```

## get a certificate from CA (need to trust CA first)

```
services.nginx.virtualHosts."myservice.r" = {
  enableACME = true;
  addSSL = true;
}
security.acme.certs."myservice.r".server = "https://ca.r/acme/acme/directory";
```

## example set-up

```
{
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    
    virtualHosts = {
      "catalonia.r" = {
        listen = [
          { addr = "catalonia.r"; port = 80; }
          { addr = "catalonia.r"; port = 443; ssl = true; }
        ];
        enableACME = true;
        addSSL = true;
      };
    };
  };
  
  security.acme = {
    acceptTerms = true;
    certs."catalonia.r" = {
      email = "xkey@irc.r";
      server = "https://ca.r/acme/acme/directory";
    };
  };
  
  networking.firewall.allowedTCPPorts = [ 80 443 ];
}
```