3
0
Fork 0
forked from mirrors/nixpkgs

nixos/acme: add syntax highlighting to code blocks

This commit is contained in:
Sandro 2023-11-26 19:46:13 +01:00 committed by Sandro Jäckel
parent 5a09cb4b39
commit 5a64fb2799
No known key found for this signature in database
GPG key ID: 3AF5A43A3EECC2E5

View file

@ -45,7 +45,7 @@ placeholder certificates in place of the real ACME certs. The placeholder
certs are overwritten when the ACME certs arrive. For
`foo.example.com` the config would look like this:
```
```nix
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin+acme@example.com";
services.nginx = {
@ -88,7 +88,7 @@ This example uses a vhost called `certs.example.com`, with
the intent that you will generate certs for all your vhosts and redirect
everyone to HTTPS.
```
```nix
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin+acme@example.com";
@ -136,7 +136,7 @@ services.httpd = {
Now you need to configure ACME to generate a certificate.
```
```nix
security.acme.certs."foo.example.com" = {
webroot = "/var/lib/acme/.challenges";
email = "foo@example.com";
@ -167,7 +167,7 @@ see the [lego docs](https://go-acme.github.io/lego/dns/)
for provider/server specific configuration values. For the sake of these
docs, we will provide a fully self-hosted example using bind.
```
```nix
services.bind = {
enable = true;
extraConfig = ''
@ -199,7 +199,7 @@ The {file}`dnskeys.conf` and {file}`certs.secret`
must be kept secure and thus you should not keep their contents in your
Nix config. Instead, generate them one time with a systemd service:
```
```nix
systemd.services.dns-rfc2136-conf = {
requiredBy = ["acme-example.com.service" "bind.service"];
before = ["acme-example.com.service" "bind.service"];
@ -250,7 +250,7 @@ first, however instead of setting the options for one certificate
you will set them as defaults
(e.g. [](#opt-security.acme.defaults.dnsProvider)).
```
```nix
# Configure ACME appropriately
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin+acme@example.com";
@ -287,7 +287,7 @@ There is no way to change the user the ACME module uses (it will always be
Below is an example configuration for OpenSMTPD, but this pattern
can be applied to any service.
```
```nix
# Configure ACME however you like (DNS or HTTP validation), adding
# the following configuration for the relevant certificate.
# Note: You cannot use `systemctl reload` here as that would mean
@ -340,7 +340,7 @@ to be regenerated. In this scenario lego will produce the error `JWS verificatio
The solution is to simply delete the associated accounts file and
re-run the affected service(s).
```
```shell
# Find the accounts folder for the certificate
systemctl cat acme-example.com.service | grep -Po 'accounts/[^:]*'
export accountdir="$(!!)"