From 7e5617aa7a0401e3d765489295d22caf9926a90b Mon Sep 17 00:00:00 2001 From: Jason Woofenden Date: Sat, 3 Sep 2022 15:05:11 -0400 Subject: [PATCH] nixos/doc: fix acme dns-01 example Summary: fix errors with example code in the manual that shows how to set up DNS-01 verification via the acme protocol, e.g. for those who want to get wildcard certificates from Let's Encrypt. Fix syntax error in nix arrays (there should not be commas.) Fix permissions on /var/lib/secrets so it can be read by bind daemon. Without this fix bind won't start. Add the missing feature: put the generated secret into certs.secret --- nixos/modules/security/acme/doc.xml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/nixos/modules/security/acme/doc.xml b/nixos/modules/security/acme/doc.xml index 4817f7a7fc6b..1439594a5aca 100644 --- a/nixos/modules/security/acme/doc.xml +++ b/nixos/modules/security/acme/doc.xml @@ -237,8 +237,8 @@ services.bind = { systemd.services.dns-rfc2136-conf = { - requiredBy = ["acme-example.com.service", "bind.service"]; - before = ["acme-example.com.service", "bind.service"]; + requiredBy = ["acme-example.com.service" "bind.service"]; + before = ["acme-example.com.service" "bind.service"]; unitConfig = { ConditionPathExists = "!/var/lib/secrets/dnskeys.conf"; }; @@ -249,18 +249,19 @@ systemd.services.dns-rfc2136-conf = { path = [ pkgs.bind ]; script = '' mkdir -p /var/lib/secrets + chmod 755 /var/lib/secrets tsig-keygen rfc2136key.example.com > /var/lib/secrets/dnskeys.conf chown named:root /var/lib/secrets/dnskeys.conf chmod 400 /var/lib/secrets/dnskeys.conf - # Copy the secret value from the dnskeys.conf, and put it in - # RFC2136_TSIG_SECRET below + # extract secret value from the dnskeys.conf + while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf cat > /var/lib/secrets/certs.secret << EOF RFC2136_NAMESERVER='127.0.0.1:53' RFC2136_TSIG_ALGORITHM='hmac-sha256.' RFC2136_TSIG_KEY='rfc2136key.example.com' - RFC2136_TSIG_SECRET='your secret key' + RFC2136_TSIG_SECRET='$secret' EOF chmod 400 /var/lib/secrets/certs.secret '';