diff options
author | Félix Baylac-Jacqué <felix@alternativebit.fr> | 2021-09-24 13:09:37 +0200 |
---|---|---|
committer | Félix Baylac-Jacqué <felix@alternativebit.fr> | 2021-10-04 10:08:35 +0200 |
commit | 73846b372fe93b5c674ff56e59b2a1dfa70d3d85 (patch) | |
tree | 7bc3d5c7b537fa398fe1148c9b047aa4b435d5ca /nixos/modules/security | |
parent | 1a6a4817e8264529e1e20fd47b88a19c9bfe03b4 (diff) | |
download | nixpkgs-73846b372fe93b5c674ff56e59b2a1dfa70d3d85.tar nixpkgs-73846b372fe93b5c674ff56e59b2a1dfa70d3d85.tar.gz nixpkgs-73846b372fe93b5c674ff56e59b2a1dfa70d3d85.tar.bz2 nixpkgs-73846b372fe93b5c674ff56e59b2a1dfa70d3d85.tar.lz nixpkgs-73846b372fe93b5c674ff56e59b2a1dfa70d3d85.tar.xz nixpkgs-73846b372fe93b5c674ff56e59b2a1dfa70d3d85.tar.zst nixpkgs-73846b372fe93b5c674ff56e59b2a1dfa70d3d85.zip |
nixos/acme: add webroots to ReadWritePaths
Since 7a10478ea7b992ffa1f19f389e53df0fe2aa936d, all /var except /var/lib/acme gets mounted in a read-only fashion. This behavior breaks the existing acme deployments having a webroot set outside of /var/lib/acme. Collecting the webroots and adding them to the paths read/write mounted to the systemd service runtime tree. Fixes #139310
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/acme.nix | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index bcbd17d8e10..1a5c3592c1f 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -192,6 +192,14 @@ let ++ data.extraLegoRenewFlags ); + # We need to collect all the ACME webroots to grant them write + # access in the systemd service. + webroots = + lib.remove null + (lib.unique + (builtins.map + (certAttrs: certAttrs.webroot) + (lib.attrValues config.security.acme.certs))); in { inherit accountHash cert selfsignedDeps; @@ -288,6 +296,8 @@ let "acme/.lego/accounts/${accountHash}" ]; + ReadWritePaths = commonServiceConfig.ReadWritePaths ++ webroots; + # Needs to be space separated, but can't use a multiline string because that'll include newlines BindPaths = [ "${accountDir}:/tmp/accounts" |