summaryrefslogtreecommitdiff
path: root/modules/acme2.nix
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-02-21 23:27:06 +0100
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-04-25 00:04:49 +0200
commit5a979e9806fe8e38d312d589c8ff199b173f7911 (patch)
treee6516d3c2196f5619835944567eef2eccd9e7b88 /modules/acme2.nix
parentb27b9ddfe41ef7add0c2be7fa252d19f1bb886a8 (diff)
downloadNUR-5a979e9806fe8e38d312d589c8ff199b173f7911.tar.gz
NUR-5a979e9806fe8e38d312d589c8ff199b173f7911.tar.zst
NUR-5a979e9806fe8e38d312d589c8ff199b173f7911.zip
Make acme-challenge writable
Diffstat (limited to 'modules/acme2.nix')
-rw-r--r--modules/acme2.nix12
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/acme2.nix b/modules/acme2.nix
index 408c098e..6c6d9a7a 100644
--- a/modules/acme2.nix
+++ b/modules/acme2.nix
@@ -239,6 +239,17 @@ in
239 PrivateTmp = true; 239 PrivateTmp = true;
240 StateDirectory = lpath; 240 StateDirectory = lpath;
241 StateDirectoryMode = rights; 241 StateDirectoryMode = rights;
242 ExecStartPre =
243 let
244 script = pkgs.writeScript "acme-pre-start" ''
245 #!${pkgs.runtimeShell} -e
246 mkdir -p '${data.webroot}/.well-known/acme-challenge'
247 chmod a+w '${data.webroot}/.well-known/acme-challenge'
248 #doesn't work for multiple concurrent runs
249 #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
250 '';
251 in
252 "+${script}";
242 WorkingDirectory = "/var/lib/${lpath}"; 253 WorkingDirectory = "/var/lib/${lpath}";
243 ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}"; 254 ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}";
244 ExecStartPost = 255 ExecStartPost =
@@ -308,6 +319,7 @@ in
308 in 319 in
309 servicesAttr; 320 servicesAttr;
310 321
322 # FIXME: this doesn't work for multiple users
311 systemd.tmpfiles.rules = 323 systemd.tmpfiles.rules =
312 flip mapAttrsToList cfg.certs 324 flip mapAttrsToList cfg.certs
313 (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}"); 325 (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");