blob: d09b4114234a2d5c785abb12575cca027b6f113f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
# ACME/SSL
we now have our own letsencrypt-like service for internal certificates:
## howto trust the CA
```
security.pki.certificateFiles = [(pkgs.fetchurl {
url = "http://ca.r/ca.crt"; # can be also downloaded from some other location like github/cgit
sha256 = "sha256-tEp7OCiFx+6CFj5WzNym7wiBfWfyioeyQLLndf6glDQ=";
})]
```
## get a certificate from CA (need to trust CA first)
```
services.nginx.virtualHosts."myservice.r" = {
enableACME = true;
addSSL = true;
}
security.acme.certs."myservice.r".server = "https://ca.r/acme/acme/directory";
```
don't forget to open the firewall ports.
|
