diff --git a/nixos/doc/manual/configuration/configuration.xml b/nixos/doc/manual/configuration/configuration.xml
index afffd60bc48..1e488b59343 100644
--- a/nixos/doc/manual/configuration/configuration.xml
+++ b/nixos/doc/manual/configuration/configuration.xml
@@ -26,6 +26,7 @@ effect after you run nixos-rebuild.
+
diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix
index 844cba57cd8..bd558dac971 100644
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@@ -55,6 +55,7 @@ let
cp -prd $sources/* . # */
chmod -R u+w .
cp ${../../modules/services/databases/postgresql.xml} configuration/postgresql.xml
+ cp ${../../modules/security/acme.xml} configuration/acme.xml
cp ${../../modules/misc/nixos.xml} configuration/nixos.xml
ln -s ${optionsDocBook} options-db.xml
echo "${version}" > version
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 9b25f998400..5c1cde98d3d 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -80,6 +80,7 @@
./programs/xfs_quota.nix
./programs/zsh/zsh.nix
./rename.nix
+ ./security/acme.nix
./security/apparmor.nix
./security/apparmor-suid.nix
./security/ca.nix
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
new file mode 100644
index 00000000000..8f3a2ee073b
--- /dev/null
+++ b/nixos/modules/security/acme.nix
@@ -0,0 +1,202 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ cfg = config.security.acme;
+
+ certOpts = { ... }: {
+ options = {
+ webroot = mkOption {
+ type = types.str;
+ description = ''
+ Where the webroot of the HTTP vhost is located.
+ .well-known/acme-challenge/ directory
+ will be created automatically if it doesn't exist.
+ http://example.org/.well-known/acme-challenge/ must also
+ be available (notice unencrypted HTTP).
+ '';
+ };
+
+ email = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ description = "Contact email address for the CA to be able to reach you.";
+ };
+
+ user = mkOption {
+ type = types.str;
+ default = "root";
+ description = "User running the ACME client.";
+ };
+
+ group = mkOption {
+ type = types.str;
+ default = "root";
+ description = "Group running the ACME client.";
+ };
+
+ postRun = mkOption {
+ type = types.lines;
+ default = "";
+ example = "systemctl reload nginx.service";
+ description = ''
+ Commands to run after certificates are re-issued. Typically
+ the web server and other servers using certificates need to
+ be reloaded.
+ '';
+ };
+
+ plugins = mkOption {
+ type = types.listOf (types.enum [
+ "cert.der" "cert.pem" "chain.der" "chain.pem" "external_pem.sh"
+ "fullchain.der" "fullchain.pem" "key.der" "key.pem" "account_key.json"
+ ]);
+ default = [ "fullchain.pem" "key.pem" "account_key.json" ];
+ description = ''
+ Plugins to enable. With default settings simp_le will
+ store public certificate bundle in fullchain.pem
+ and private key in key.pem in its state directory.
+ '';
+ };
+
+ extraDomains = mkOption {
+ type = types.attrsOf (types.nullOr types.str);
+ default = {};
+ example = {
+ "example.org" = "/srv/http/nginx";
+ "mydomain.org" = null;
+ };
+ description = ''
+ Extra domain names for which certificates are to be issued, with their
+ own server roots if needed.
+ '';
+ };
+ };
+ };
+
+in
+
+{
+
+ ###### interface
+
+ options = {
+ security.acme = {
+ directory = mkOption {
+ default = "/var/lib/acme";
+ type = types.str;
+ description = ''
+ Directory where certs and other state will be stored by default.
+ '';
+ };
+
+ validMin = mkOption {
+ type = types.int;
+ default = 30 * 24 * 3600;
+ description = "Minimum remaining validity before renewal in seconds.";
+ };
+
+ renewInterval = mkOption {
+ type = types.str;
+ default = "weekly";
+ description = ''
+ Systemd calendar expression when to check for renewal. See
+ systemd.time
+ 5.
+ '';
+ };
+
+ certs = mkOption {
+ default = { };
+ type = types.loaOf types.optionSet;
+ description = ''
+ Attribute set of certificates to get signed and renewed.
+ '';
+ options = [ certOpts ];
+ example = {
+ "example.com" = {
+ webroot = "/var/www/challenges/";
+ email = "foo@example.com";
+ extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
+ };
+ "bar.example.com" = {
+ webroot = "/var/www/challenges/";
+ email = "bar@example.com";
+ };
+ };
+ };
+ };
+ };
+
+ ###### implementation
+ config = mkMerge [
+ (mkIf (cfg.certs != { }) {
+
+ systemd.services = flip mapAttrs' cfg.certs (cert: data:
+ let
+ cpath = "${cfg.directory}/${cert}";
+ cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
+ ++ optionals (data.email != null) [ "--email" data.email ]
+ ++ concatMap (p: [ "-f" p ]) data.plugins
+ ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
+
+ in nameValuePair
+ ("acme-${cert}")
+ ({
+ description = "ACME cert renewal for ${cert} using simp_le";
+ after = [ "network.target" ];
+ serviceConfig = {
+ Type = "oneshot";
+ SuccessExitStatus = [ "0" "1" ];
+ PermissionsStartOnly = true;
+ User = data.user;
+ Group = data.group;
+ PrivateTmp = true;
+ };
+ path = [ pkgs.simp_le ];
+ preStart = ''
+ mkdir -p '${cfg.directory}'
+ if [ ! -d '${cpath}' ]; then
+ mkdir -m 700 '${cpath}'
+ chown '${data.user}:${data.group}' '${cpath}'
+ fi
+ '';
+ script = ''
+ cd '${cpath}'
+ set +e
+ simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}
+ EXITCODE=$?
+ set -e
+ echo "$EXITCODE" > /tmp/lastExitCode
+ exit "$EXITCODE"
+ '';
+ postStop = ''
+ if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
+ echo "Executing postRun hook..."
+ ${data.postRun}
+ fi
+ '';
+ })
+ );
+
+ systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
+ ("acme-${cert}")
+ ({
+ description = "timer for ACME cert renewal of ${cert}";
+ wantedBy = [ "timers.target" ];
+ timerConfig = {
+ OnCalendar = cfg.renewInterval;
+ Unit = "acme-simp_le-${cert}.service";
+ };
+ })
+ );
+ })
+
+ { meta.maintainers = with lib.maintainers; [ abbradar fpletz globin ];
+ meta.doc = ./acme.xml;
+ }
+ ];
+
+}
diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml
new file mode 100644
index 00000000000..e32fa72c939
--- /dev/null
+++ b/nixos/modules/security/acme.xml
@@ -0,0 +1,69 @@
+
+
+SSL/TLS Certificates with ACME
+
+NixOS supports automatic domain validation & certificate
+retrieval and renewal using the ACME protocol. This is currently only
+implemented by and for Let's Encrypt. The alternative ACME client
+simp_le is used under the hood.
+
+Prerequisites
+
+You need to have a running HTTP server for verification. The server must
+have a webroot defined that can serve
+.well-known/acme-challenge. This directory must be
+writeable by the user that will run the ACME client.
+
+For instance, this generic snippet could be used for Nginx:
+
+
+http {
+ server {
+ server_name _;
+ listen 80;
+ listen [::]:80;
+
+ location /.well-known/acme-challenge {
+ root /var/www/challenges;
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+ }
+}
+
+
+
+
+
+Configuring
+
+To enable ACME certificate retrieval & renewal for a certificate for
+foo.example.com, add the following in your
+configuration.nix:
+
+
+security.acme.certs."foo.example.com" = {
+ webroot = "/var/www/challenges";
+ email = "foo@example.com";
+};
+
+
+
+The private key key.pem and certificate
+fullchain.pem will be put into
+/var/lib/acme/foo.example.com. The target directory can
+be configured with the option security.acme.directory.
+
+
+Refer to for all available configuration
+options for the security.acme module.
+
+
+
+
diff --git a/pkgs/tools/admin/simp_le/default.nix b/pkgs/tools/admin/simp_le/default.nix
index 5f945309aac..43e361ba647 100644
--- a/pkgs/tools/admin/simp_le/default.nix
+++ b/pkgs/tools/admin/simp_le/default.nix
@@ -1,16 +1,16 @@
{ stdenv, fetchFromGitHub, pythonPackages }:
pythonPackages.buildPythonPackage rec {
- name = "simp_le-20151205";
+ name = "simp_le-20151207";
src = fetchFromGitHub {
owner = "kuba";
repo = "simp_le";
- rev = "976a33830759e66610970f92f6ec1a656a2c8335";
- sha256 = "0bfa5081rmjjg9sii6pn2dskd1wh0dgrf9ic9hpisawrk0y0739i";
+ rev = "ac836bc0af988cb14dc0a83dc2039e7fa541b677";
+ sha256 = "0r07mlis81n0pmj74wjcvjpi6i3lkzs6hz8iighhk8yymn1a8rbn";
};
- propagatedBuildInputs = with pythonPackages; [ acme cryptography pytz requests2 ];
+ propagatedBuildInputs = with pythonPackages; [ acme ];
meta = with stdenv.lib; {
homepage = https://github.com/kuba/simp_le;