diff options
author | Jörg Thalheim <joerg@thalheim.io> | 2020-02-14 02:14:42 +0000 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2020-04-09 08:26:07 +0100 |
commit | d7ff6ab94aae4deadbe26d20900e8a0d19ebc860 (patch) | |
tree | 1da640523737533a608ef72500986e854d1dfa9d /nixos/modules/security | |
parent | 98790dab3b37ee5d86ebfcd4b8930b412eed8325 (diff) | |
download | nixlib-d7ff6ab94aae4deadbe26d20900e8a0d19ebc860.tar nixlib-d7ff6ab94aae4deadbe26d20900e8a0d19ebc860.tar.gz nixlib-d7ff6ab94aae4deadbe26d20900e8a0d19ebc860.tar.bz2 nixlib-d7ff6ab94aae4deadbe26d20900e8a0d19ebc860.tar.lz nixlib-d7ff6ab94aae4deadbe26d20900e8a0d19ebc860.tar.xz nixlib-d7ff6ab94aae4deadbe26d20900e8a0d19ebc860.tar.zst nixlib-d7ff6ab94aae4deadbe26d20900e8a0d19ebc860.zip |
acme: create certificates in subdirectory
This allows to have multiple certificates with the same common name. Lego uses in its internal directory the common name to name the certificate. fixes #84409
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/acme.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 87217f1e3b90..df5f33c94617 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -301,7 +301,7 @@ in # StateDirectory must be relative, and will be created under /var/lib by systemd lpath = "acme/${cert}"; apath = "/var/lib/${lpath}"; - spath = "/var/lib/acme/.lego"; + spath = "/var/lib/acme/.lego/${cert}"; fileMode = if data.allowKeysForGroup then "640" else "600"; globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ] ++ optionals (cfg.acceptTerms) [ "--accept-tos" ] @@ -330,7 +330,7 @@ in User = data.user; Group = data.group; PrivateTmp = true; - StateDirectory = "acme/.lego ${lpath}"; + StateDirectory = "acme/.lego/${cert} ${lpath}"; StateDirectoryMode = if data.allowKeysForGroup then "750" else "700"; WorkingDirectory = spath; # Only try loading the credentialsFile if the dns challenge is enabled |