+ # lego doesn't check key type after initial creation, we
+ # need to check for him
+ if [ -L ${spath}/accounts -o -d ${spath}/accounts ]; then
+ if [ -L ${spath}/accounts -a "$(readlink ${spath}/accounts)" != ../${accountsDir} ]; then
+ ln -sfn ../${accountsDir} ${spath}/accounts
+ mv -f ${spath}/certificates/${keyName}.key ${spath}/certificates/${keyName}.key.old
+ fi
+ else
+ ln -s ../${accountsDir} ${spath}/accounts
+ fi
+ # check if domain changed: lego doesn't check by itself
+ if [ ! -e ${spath}/certificates/${keyName}.crt -o ! -e ${spath}/certificates/${keyName}.key -o ! -e "${spath}/accounts/acme-v02.api.letsencrypt.org/${data.email}/account.json" ]; then
+ ${pkgs.lego}/bin/lego ${runOpts}
+ elif [ ! -f ${spath}/currentDomains -o "$(cat ${spath}/currentDomains)" != "${hashOptions}" ]; then
+ ${pkgs.lego}/bin/lego ${forceRenewOpts}
+ else
+ ${pkgs.lego}/bin/lego ${renewOpts}
+ fi
+ '');
+ ExecStartPost =
+ let
+ ISRG_Root_X1 = pkgs.fetchurl {
+ url = "https://letsencrypt.org/certs/isrgrootx1.pem";
+ sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
+ };
+ fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" ''
+ cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \
+ sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" chain.pem fullchain.pem full.pem
+ '';
+ script = pkgs.writeScript "acme-post-start" ''
+ #!${pkgs.runtimeShell} -e
+ install -m 0755 -o root -g root -d /var/lib/acme
+ install -m 0${dirFileMode} -o ${data.user} -g ${data.group} -d /var/lib/acme/${k}
+ cd /var/lib/acme/${k}
+
+ # Test that existing cert is older than new cert
+ KEY=${spath}/certificates/${keyName}.key
+ KEY_CHANGED=no
+ if [ -e $KEY -a $KEY -nt key.pem ]; then
+ KEY_CHANGED=yes
+ cp -p ${spath}/certificates/${keyName}.key key.pem
+ cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
+ cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
+ ln -sf fullchain.pem cert.pem
+ cat key.pem fullchain.pem > full.pem
+ echo -n "${hashOptions}" > ${spath}/currentDomains
+ fi
+
+ chmod ${fileMode} *.pem
+ chown '${data.user}:${data.group}' *.pem
+ ${fix_ISRG_Root_X1}
+
+ if [ "$KEY_CHANGED" = "yes" ]; then
+ : # noop in case postRun is empty
+ ${data.postRun}
+ fi
+ '';
+ in
+ lib.mkForce "+${script}";
+ };