aboutsummaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-02-21 23:27:06 +0100
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-02-21 23:27:06 +0100
commit2b9e8e578718557772da727355f1d9a1d34b0e1c (patch)
treeab480b601dcf3b2253803eb391193b2faf3deaf6 /modules
parent3207c879221a28937a80de47d089e79587483dd6 (diff)
downloadNix-2b9e8e578718557772da727355f1d9a1d34b0e1c.tar.gz
Nix-2b9e8e578718557772da727355f1d9a1d34b0e1c.tar.zst
Nix-2b9e8e578718557772da727355f1d9a1d34b0e1c.zip
Make acme-challenge writable
Diffstat (limited to 'modules')
-rw-r--r--modules/acme2.nix12
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/acme2.nix b/modules/acme2.nix
index 408c098..6c6d9a7 100644
--- a/modules/acme2.nix
+++ b/modules/acme2.nix
@@ -239,6 +239,17 @@ in
239 PrivateTmp = true; 239 PrivateTmp = true;
240 StateDirectory = lpath; 240 StateDirectory = lpath;
241 StateDirectoryMode = rights; 241 StateDirectoryMode = rights;
242 ExecStartPre =
243 let
244 script = pkgs.writeScript "acme-pre-start" ''
245 #!${pkgs.runtimeShell} -e
246 mkdir -p '${data.webroot}/.well-known/acme-challenge'
247 chmod a+w '${data.webroot}/.well-known/acme-challenge'
248 #doesn't work for multiple concurrent runs
249 #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
250 '';
251 in
252 "+${script}";
242 WorkingDirectory = "/var/lib/${lpath}"; 253 WorkingDirectory = "/var/lib/${lpath}";
243 ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}"; 254 ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}";
244 ExecStartPost = 255 ExecStartPost =
@@ -308,6 +319,7 @@ in
308 in 319 in
309 servicesAttr; 320 servicesAttr;
310 321
322 # FIXME: this doesn't work for multiple users
311 systemd.tmpfiles.rules = 323 systemd.tmpfiles.rules =
312 flip mapAttrsToList cfg.certs 324 flip mapAttrsToList cfg.certs
313 (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}"); 325 (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");