X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Facme2.nix;h=b22e4ccc3e7687f51b103f82656cdb5ae743bfd7;hb=441da8aac378f401625e82caf281fa0e26128310;hp=408c098eaa9de71d393a3e4b91948e2fc6a45863;hpb=981fa80354fd6f00f49446777c38f77bd8a65f65;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/acme2.nix b/modules/acme2.nix index 408c098..b22e4cc 100644 --- a/modules/acme2.nix +++ b/modules/acme2.nix @@ -232,13 +232,25 @@ in # gets changed, the activation phase restarts it, meaning # the permissions of the StateDirectory get adjusted # according to the specified group - RemainAfterExit = true; + # Edit: Timers will never run because of this + # RemainAfterExit = true; SuccessExitStatus = [ "0" "1" ]; User = data.user; Group = data.group; PrivateTmp = true; StateDirectory = lpath; StateDirectoryMode = rights; + ExecStartPre = + let + script = pkgs.writeScript "acme-pre-start" '' + #!${pkgs.runtimeShell} -e + mkdir -p '${data.webroot}/.well-known/acme-challenge' + chmod a+w '${data.webroot}/.well-known/acme-challenge' + #doesn't work for multiple concurrent runs + #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' + ''; + in + "+${script}"; WorkingDirectory = "/var/lib/${lpath}"; ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}"; ExecStartPost = @@ -308,6 +320,7 @@ in in servicesAttr; + # FIXME: this doesn't work for multiple users systemd.tmpfiles.rules = flip mapAttrsToList cfg.certs (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");