diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2021-01-09 19:15:03 +0000 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2021-01-09 19:15:03 +0000 |
commit | a01df7dc4663650146cba65d25aaf225391f22ce (patch) | |
tree | 40a56d31662cec15e5333ba8011213355454e23e /nixos/modules/security/acme.nix | |
parent | 92a3a37153b159951d027a77cbb7b1ee7f92bde6 (diff) | |
download | nixpkgs-a01df7dc4663650146cba65d25aaf225391f22ce.tar nixpkgs-a01df7dc4663650146cba65d25aaf225391f22ce.tar.gz nixpkgs-a01df7dc4663650146cba65d25aaf225391f22ce.tar.bz2 nixpkgs-a01df7dc4663650146cba65d25aaf225391f22ce.tar.lz nixpkgs-a01df7dc4663650146cba65d25aaf225391f22ce.tar.xz nixpkgs-a01df7dc4663650146cba65d25aaf225391f22ce.tar.zst nixpkgs-a01df7dc4663650146cba65d25aaf225391f22ce.zip |
nixos/acme: Incorporate review suggestions
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index d2d68eea9fd..bf748d16821 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -63,15 +63,16 @@ let # exist and have the correct user and group, since group # is configurable on a per-cert basis. userMigrationService = let - script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: '' + script = with builtins; '' chown -R acme .lego/accounts + '' + (concatStringsSep "\n" (mapAttrsToList (cert: data: '' for fixpath in ${escapeShellArg cert} .lego/${escapeShellArg cert}; do if [ -d "$fixpath" ]; then chmod -R u=rwX,g=rX,o= "$fixpath" chown -R acme:${data.group} "$fixpath" fi done - '') certConfigs); + '') certConfigs)); in { description = "Fix owner and group of all ACME certificates"; @@ -704,6 +705,14 @@ in { }) certConfigs; # Create targets to limit the number of simultaneous account creations + # How it works: + # - Pick a "leader" cert service, which will be in charge of creating the account, + # and run first (requires + after) + # - Make all other cert services sharing the same account wait for the leader to + # finish before starting (requiredBy + before). + # Using a target here is fine - account creation is a one time event. Even if + # systemd clean --what=state is used to delete the account, so long as the user + # then runs one of the cert services, there won't be any issues. accountTargets = mapAttrs' (hash: confs: let leader = "acme-${(builtins.head confs).cert}.service"; dependantServices = map (conf: "acme-${conf.cert}.service") (builtins.tail confs); |