nixos/acme: add webroots to ReadWritePaths

Since 7a10478ea7b992ffa1f19f389e53df0fe2aa936d, all /var except
/var/lib/acme gets mounted in a read-only fashion. This behavior
breaks the existing acme deployments having a webroot set outside of
/var/lib/acme.

Collecting the webroots and adding them to the paths read/write
mounted to the systemd service runtime tree.

Fixes #139310

1 files changed, 10 insertions, 0 deletions

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index bcbd17d8e10..1a5c3592c1f 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -192,6 +192,14 @@ let
       ++ data.extraLegoRenewFlags
     );
 
+    # We need to collect all the ACME webroots to grant them write
+    # access in the systemd service.
+    webroots =
+      lib.remove null
+        (lib.unique
+            (builtins.map
+            (certAttrs: certAttrs.webroot)
+            (lib.attrValues config.security.acme.certs)));
   in {
     inherit accountHash cert selfsignedDeps;
 
@@ -288,6 +296,8 @@ let
           "acme/.lego/accounts/${accountHash}"
         ];
 
+        ReadWritePaths = commonServiceConfig.ReadWritePaths ++ webroots;
+
         # Needs to be space separated, but can't use a multiline string because that'll include newlines
         BindPaths = [
           "${accountDir}:/tmp/accounts"