Add workaround for acme

1 files changed, 34 insertions, 1 deletions

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index c68bbee..5b86b6d 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -68,7 +68,40 @@
               #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
             '';
           in
-            "+${script}";
+          "+${script}";
+        # This is a workaround to
+        # https://github.com/NixOS/nixpkgs/issues/84409
+        # https://github.com/NixOS/nixpkgs/issues/84633
+        serviceConfig.RemainAfterExit = lib.mkForce false;
+        serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
+        serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}";
+        serviceConfig.ExecStartPost =
+          let
+            keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
+            fileMode = if data.allowKeysForGroup then "640" else "600";
+            spath = "/var/lib/acme/${k}/.lego";
+            script = pkgs.writeScript "acme-post-start" ''
+              #!${pkgs.runtimeShell} -e
+              cd /var/lib/acme/${k}
+
+              # Test that existing cert is older than new cert
+              KEY=${spath}/certificates/${keyName}.key
+              if [ -e $KEY -a $KEY -nt key.pem ]; then
+                cp -p ${spath}/certificates/${keyName}.key key.pem
+                cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
+                cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
+                ln -sf fullchain.pem cert.pem
+                cat key.pem fullchain.pem > full.pem
+
+                ${data.postRun}
+              fi
+
+              chmod ${fileMode} *.pem
+              chown '${data.user}:${data.group}' *.pem
+            '';
+          in
+            lib.mkForce "+${script}";
+
       }
     ) config.security.acme.certs //
     {