]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - modules/acme2.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Use pools instead of deprecated poolConfigs for php
[perso/Immae/Config/Nix.git] / modules / acme2.nix
diff --git a/modules/acme2.nix b/modules/acme2.nix
index 408c098eaa9de71d393a3e4b91948e2fc6a45863..b22e4ccc3e7687f51b103f82656cdb5ae743bfd7 100644 (file)
--- a/modules/acme2.nix
+++ b/modules/acme2.nix
@@ -232,13 +232,25 @@ in
                     # gets changed, the activation phase restarts it, meaning
                     # the permissions of the StateDirectory get adjusted
                     # according to the specified group
-                    RemainAfterExit = true;
+                    # Edit: Timers will never run because of this
+                    # RemainAfterExit = true;
                     SuccessExitStatus = [ "0" "1" ];
                     User = data.user;
                     Group = data.group;
                     PrivateTmp = true;
                     StateDirectory = lpath;
                     StateDirectoryMode = rights;
+                    ExecStartPre =
+                      let
+                        script = pkgs.writeScript "acme-pre-start" ''
+                          #!${pkgs.runtimeShell} -e
+                          mkdir -p '${data.webroot}/.well-known/acme-challenge'
+                          chmod a+w '${data.webroot}/.well-known/acme-challenge'
+                          #doesn't work for multiple concurrent runs
+                          #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
+                        '';
+                      in
+                        "+${script}";
                     WorkingDirectory = "/var/lib/${lpath}";
                     ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}";
                     ExecStartPost =
@@ -308,6 +320,7 @@ in
         in
           servicesAttr;
 
+      # FIXME: this doesn't work for multiple users
       systemd.tmpfiles.rules =
         flip mapAttrsToList cfg.certs
         (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");
My infrastructure configuration