#chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
'';
in
- "+${script}";
+ "+${script}";
+ # This is a workaround to
+ # https://github.com/NixOS/nixpkgs/issues/84409
+ # https://github.com/NixOS/nixpkgs/issues/84633
+ serviceConfig.RemainAfterExit = lib.mkForce false;
+ serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
+ serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}";
+ serviceConfig.ExecStartPost =
+ let
+ keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
+ fileMode = if data.allowKeysForGroup then "640" else "600";
+ spath = "/var/lib/acme/${k}/.lego";
+ script = pkgs.writeScript "acme-post-start" ''
+ #!${pkgs.runtimeShell} -e
+ cd /var/lib/acme/${k}
+
+ # Test that existing cert is older than new cert
+ KEY=${spath}/certificates/${keyName}.key
+ if [ -e $KEY -a $KEY -nt key.pem ]; then
+ cp -p ${spath}/certificates/${keyName}.key key.pem
+ cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
+ cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
+ ln -sf fullchain.pem cert.pem
+ cat key.pem fullchain.pem > full.pem
+
+ ${data.postRun}
+ fi
+
+ chmod ${fileMode} *.pem
+ chown '${data.user}:${data.group}' *.pem
+ '';
+ in
+ lib.mkForce "+${script}";
+
}
) config.security.acme.certs //
{