diff options
author | Alyssa Ross <hi@alyssa.is> | 2020-04-27 21:04:56 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2020-04-27 21:04:56 +0000 |
commit | a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e (patch) | |
tree | 47950e79183035018882419c4eff5047d1537b99 /nixpkgs/nixos/modules/security | |
parent | 5b00523fb58512232b819a301c4309f579c7f09c (diff) | |
parent | 22a3bf9fb9edad917fb6cd1066d58b5e426ee975 (diff) | |
download | nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.gz nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.bz2 nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.lz nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.xz nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.zst nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.zip |
Merge commit '22a3bf9fb9edad917fb6cd1066d58b5e426ee975'
Diffstat (limited to 'nixpkgs/nixos/modules/security')
-rw-r--r-- | nixpkgs/nixos/modules/security/acme.nix | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/nixpkgs/nixos/modules/security/acme.nix b/nixpkgs/nixos/modules/security/acme.nix index b787a7675390..39976380e3b4 100644 --- a/nixpkgs/nixos/modules/security/acme.nix +++ b/nixpkgs/nixos/modules/security/acme.nix @@ -301,7 +301,7 @@ in # StateDirectory must be relative, and will be created under /var/lib by systemd lpath = "acme/${cert}"; apath = "/var/lib/${lpath}"; - spath = "/var/lib/acme/.lego"; + spath = "/var/lib/acme/.lego/${cert}"; fileMode = if data.allowKeysForGroup then "640" else "600"; globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ] ++ optionals (cfg.acceptTerms) [ "--accept-tos" ] @@ -318,25 +318,20 @@ in description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = mkIf (!config.boot.isContainer) [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; - # With RemainAfterExit the service is considered active even - # after the main process having exited, which means when it - # gets changed, the activation phase restarts it, meaning - # the permissions of the StateDirectory get adjusted - # according to the specified group - RemainAfterExit = true; User = data.user; Group = data.group; PrivateTmp = true; - StateDirectory = "acme/.lego ${lpath}"; + StateDirectory = "acme/.lego/${cert} acme/.lego/accounts ${lpath}"; StateDirectoryMode = if data.allowKeysForGroup then "750" else "700"; WorkingDirectory = spath; # Only try loading the credentialsFile if the dns challenge is enabled EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null; ExecStart = pkgs.writeScript "acme-start" '' #!${pkgs.runtimeShell} -e + test -L ${spath}/accounts -o -d ${spath}/accounts || ln -s ../accounts ${spath}/accounts ${pkgs.lego}/bin/lego ${renewOpts} || ${pkgs.lego}/bin/lego ${runOpts} ''; ExecStartPost = @@ -348,7 +343,9 @@ in # Test that existing cert is older than new cert KEY=${spath}/certificates/${keyName}.key + KEY_CHANGED=no if [ -e $KEY -a $KEY -nt key.pem ]; then + KEY_CHANGED=yes cp -p ${spath}/certificates/${keyName}.key key.pem cp -p ${spath}/certificates/${keyName}.crt fullchain.pem cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem @@ -359,7 +356,10 @@ in chmod ${fileMode} *.pem chown '${data.user}:${data.group}' *.pem - ${data.postRun} + if [ "$KEY_CHANGED" = "yes" ]; then + : # noop in case postRun is empty + ${data.postRun} + fi ''; in "+${script}"; |