+ dirFileMode = if data.allowKeysForGroup then "750" else "700";
+ globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
+ ++ lib.optionals (cfg.acceptTerms) [ "--accept-tos" ]
+ ++ lib.optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
+ ++ lib.concatLists (lib.mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
+ ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" config.myServices.certificates.webroot ])
+ ++ lib.optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
+ certOpts = lib.optionals data.ocspMustStaple [ "--must-staple" ];
+ runOpts = lib.escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts);
+ renewOpts = lib.escapeShellArgs (globalOpts ++
+ [ "renew" "--days" (builtins.toString cfg.validMinDays) ] ++
+ certOpts ++ data.extraLegoRenewFlags);
+ forceRenewOpts = lib.escapeShellArgs (globalOpts ++
+ [ "renew" "--days" "999" ] ++
+ certOpts ++ data.extraLegoRenewFlags);
+ keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
+ in {
+ User = lib.mkForce "acme";
+ Group = lib.mkForce "acme";
+ WorkingDirectory = lib.mkForce spath;
+ StateDirectory = lib.mkForce "acme/.lego/${k} acme/.lego/${accountsDir}";
+ ExecStartPre =
+ let
+ script = pkgs.writeScript "acme-prestart" ''
+ #!${pkgs.runtimeShell} -e
+ install -m 0755 -o acme -g acme -d ${config.myServices.certificates.webroot}
+ '';
+ in
+ lib.mkForce "+${script}";
+ ExecStart = lib.mkForce (pkgs.writeScript "acme-start" ''