X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Facme2.nix;h=b22e4ccc3e7687f51b103f82656cdb5ae743bfd7;hb=22e09a87fb538a0eaf81837750b0948f26f79cf1;hp=408c098eaa9de71d393a3e4b91948e2fc6a45863;hpb=0540384561541f94435ad0f6e268e6989fb1d37a;p=perso%2FImmae%2FConfig%2FNix%2FNUR.git diff --git a/modules/acme2.nix b/modules/acme2.nix index 408c098e..b22e4ccc 100644 --- a/modules/acme2.nix +++ b/modules/acme2.nix @@ -232,13 +232,25 @@ in # gets changed, the activation phase restarts it, meaning # the permissions of the StateDirectory get adjusted # according to the specified group - RemainAfterExit = true; + # Edit: Timers will never run because of this + # RemainAfterExit = true; SuccessExitStatus = [ "0" "1" ]; User = data.user; Group = data.group; PrivateTmp = true; StateDirectory = lpath; StateDirectoryMode = rights; + ExecStartPre = + let + script = pkgs.writeScript "acme-pre-start" '' + #!${pkgs.runtimeShell} -e + mkdir -p '${data.webroot}/.well-known/acme-challenge' + chmod a+w '${data.webroot}/.well-known/acme-challenge' + #doesn't work for multiple concurrent runs + #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' + ''; + in + "+${script}"; WorkingDirectory = "/var/lib/${lpath}"; ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}"; ExecStartPost = @@ -308,6 +320,7 @@ in in servicesAttr; + # FIXME: this doesn't work for multiple users systemd.tmpfiles.rules = flip mapAttrsToList cfg.certs (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");