Make acme-challenge writable

1 files changed, 12 insertions, 0 deletions

diff --git a/modules/acme2.nix b/modules/acme2.nix
index 408c098..6c6d9a7 100644
--- a/modules/acme2.nix
+++ b/modules/acme2.nix
@@ -239,6 +239,17 @@ in
                     PrivateTmp = true;
                     StateDirectory = lpath;
                     StateDirectoryMode = rights;
+                    ExecStartPre =
+                      let
+                        script = pkgs.writeScript "acme-pre-start" ''
+                          #!${pkgs.runtimeShell} -e
+                          mkdir -p '${data.webroot}/.well-known/acme-challenge'
+                          chmod a+w '${data.webroot}/.well-known/acme-challenge'
+                          #doesn't work for multiple concurrent runs
+                          #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
+                        '';
+                      in
+                        "+${script}";
                     WorkingDirectory = "/var/lib/${lpath}";
                     ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}";
                     ExecStartPost =
@@ -308,6 +319,7 @@ in
         in
           servicesAttr;
 
+      # FIXME: this doesn't work for multiple users
       systemd.tmpfiles.rules =
         flip mapAttrsToList cfg.certs
         (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");