diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2021-03-15 01:33:45 +0000 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2021-03-15 01:41:40 +0000 |
commit | 920a3f5a9d0d603b2435bac2c58d76ab784fcddd (patch) | |
tree | d261bc629afe6b552a2d69cb1616aaff62dd77f2 /nixos/modules/security/acme.nix | |
parent | 63a9f162355ec84c423690869a97848d73409fb8 (diff) | |
download | nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar.gz nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar.bz2 nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar.lz nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar.xz nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.tar.zst nixpkgs-920a3f5a9d0d603b2435bac2c58d76ab784fcddd.zip |
nixos/acme: Fix webroot issues
With the UMask set to 0023, the mkdir -p command which creates the webroot could end up unreadable if the web server changes, as surfaced by the test suite in #114751 On top of this, the following commands to chown the webroot + subdirectories was mostly unnecessary. I stripped it back to only fix the deepest part of the directory, resolving #115976, and reintroduced a human readable error message.
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index c33a92580d4..5881e5f98d0 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -24,7 +24,7 @@ let Type = "oneshot"; User = "acme"; Group = mkDefault "acme"; - UMask = 0023; + UMask = 0022; StateDirectoryMode = 750; ProtectSystem = "full"; PrivateTmp = true; @@ -275,9 +275,15 @@ let set -euxo pipefail ${optionalString (data.webroot != null) '' - # Ensure the webroot exists - mkdir -p '${data.webroot}/.well-known/acme-challenge' - chown 'acme:${data.group}' ${data.webroot}/{.well-known,.well-known/acme-challenge} + # Ensure the webroot exists. Fixing group is required in case configuration was changed between runs. + # Lego will fail if the webroot does not exist at all. + ( + mkdir -p '${data.webroot}/.well-known/acme-challenge' \ + && chgrp '${data.group}' ${data.webroot}/.well-known/acme-challenge + ) || ( + echo 'Please ensure ${data.webroot}/.well-known/acme-challenge exists and is writable by acme:${data.group}' \ + && exit 1 + ) ''} echo '${domainHash}' > domainhash.txt |