From 5a979e9806fe8e38d312d589c8ff199b173f7911 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 21 Feb 2020 23:27:06 +0100 Subject: Make acme-challenge writable --- modules/acme2.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/acme2.nix b/modules/acme2.nix index 408c098e..6c6d9a7a 100644 --- a/modules/acme2.nix +++ b/modules/acme2.nix @@ -239,6 +239,17 @@ in PrivateTmp = true; StateDirectory = lpath; StateDirectoryMode = rights; + ExecStartPre = + let + script = pkgs.writeScript "acme-pre-start" '' + #!${pkgs.runtimeShell} -e + mkdir -p '${data.webroot}/.well-known/acme-challenge' + chmod a+w '${data.webroot}/.well-known/acme-challenge' + #doesn't work for multiple concurrent runs + #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' + ''; + in + "+${script}"; WorkingDirectory = "/var/lib/${lpath}"; ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}"; ExecStartPost = @@ -308,6 +319,7 @@ in in servicesAttr; + # FIXME: this doesn't work for multiple users systemd.tmpfiles.rules = flip mapAttrsToList cfg.certs (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}"); -- cgit v1.2.3