diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2020-04-13 23:54:44 +0100 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2020-04-14 00:15:16 +0100 |
commit | 827d5e6b4448559e3fc13cfbfd122c67497cc43c (patch) | |
tree | f0f8008154573cfc29e0ba0f06607593f53fe0c1 /nixos/modules/security/acme.nix | |
parent | 81a6a80436e5e2f6746e8029363521696bc32626 (diff) | |
download | nixlib-827d5e6b4448559e3fc13cfbfd122c67497cc43c.tar nixlib-827d5e6b4448559e3fc13cfbfd122c67497cc43c.tar.gz nixlib-827d5e6b4448559e3fc13cfbfd122c67497cc43c.tar.bz2 nixlib-827d5e6b4448559e3fc13cfbfd122c67497cc43c.tar.lz nixlib-827d5e6b4448559e3fc13cfbfd122c67497cc43c.tar.xz nixlib-827d5e6b4448559e3fc13cfbfd122c67497cc43c.tar.zst nixlib-827d5e6b4448559e3fc13cfbfd122c67497cc43c.zip |
acme: share accounts between certificates
There are strict rate limits on account creation for Let's Encrypt certificates. It is important to reuse credentails when possible.
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index df5f33c94617..4af373ef7dfe 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -330,13 +330,14 @@ in User = data.user; Group = data.group; PrivateTmp = true; - StateDirectory = "acme/.lego/${cert} ${lpath}"; + StateDirectory = "acme/.lego/${cert} acme/.lego/accounts ${lpath}"; StateDirectoryMode = if data.allowKeysForGroup then "750" else "700"; WorkingDirectory = spath; # Only try loading the credentialsFile if the dns challenge is enabled EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null; ExecStart = pkgs.writeScript "acme-start" '' #!${pkgs.runtimeShell} -e + test -L ${spath}/accounts -o -d ${spath}/accounts || ln -s ../accounts ${spath}/accounts ${pkgs.lego}/bin/lego ${renewOpts} || ${pkgs.lego}/bin/lego ${runOpts} ''; ExecStartPost = |