NixOS manual contains obsolete ACME instructions

[joepie91]

Issue description

The NixOS manual provides the following example nginx configuration for ACME setup:

http {
  server {
    server_name _;
    listen 80;
    listen [::]:80;

    location /.well-known/acme-challenge {
      root /var/www/challenges;
    }

    location / {
      return 301 https://$host$request_uri;
    }
  }
}

... but the GitLab section suggests that an enableACME option exists:

    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      virtualHosts."git.example.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
      };
    };
'';

... which appears to generate the configuration from the example code automatically.

Should the ACME section not be updated to suggest the enableACME option instead?

Steps to reproduce

N/A

Technical details

• Manual version: NixOS 16.09

[joepie91]

Hmm, one request for clarification; the new text states that nginx still needs to be restarted "after the ACME certificates arrive".

Does this refer to just the setup phase, or would it need to occur after every certificate renewal (eg. every 3 months for Let's Encrypt)?

[fpletz]

Renewals should be fine. It seems if you change other things like addtional domains it seems to break although I never observed this myself: #20947.

Plan is to fix/check this before 17.03 and update the docs accordingly.