From NixOS Wiki
Jump to: navigation, search

NixOS supports automatic domain validation & certificate retrieval and renewal using the ACME protocol. Any provider can be used, but by default NixOS uses Let's Encrypt. The alternative ACME client lego is used under the hood.


Following example setup generates certificates using DNS validation. Let's Encrypt ToS has to be accepted. Further the contact mail is defined.

security.acme = {
  acceptTerms = true; = "";
  certs."" = {
    dnsProvider = "inwx";
    # Suplying password files like this will make your credentials world-readable
    # in the Nix store. This is for demonstration purpose only, do not use this in production.
    credentialsFile = "${pkgs.writeText "inwx-creds" ''

Certificates are getting generated for the domain using the DNS provider inwx. See upstream documentation on available providers and their specific configuration for the credentialsFile option.


After successfull generation, certificates can be found in the directory /var/lib/acme. To use certificates in other applications, permissions can be adjusted by setting a group name as a string or reference it.

security.acme.certs."".group =;

See also