diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-10-25 21:03:48 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-10-25 21:03:48 +0200 |
commit | a47e0a655462634e012a282c3b1c7054b6042e23 (patch) | |
tree | 0617100bba1322ff4cd6fd991740de737ffe72c4 /nixos/modules/security | |
parent | 3db31260169ae2dfa3ac971f3f72c5aebfe784ad (diff) | |
parent | f790fcd0bea2ef09f436e9d8088cfe2fea2c4c12 (diff) | |
download | nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.gz nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.bz2 nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.lz nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.xz nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.zst nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.zip |
Merge remote-tracking branch 'origin/master' into staging-next
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/acme.nix | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index f522b7c4128..cfbc8e91903 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -192,6 +192,14 @@ let ++ data.extraLegoRenewFlags ); + # We need to collect all the ACME webroots to grant them write + # access in the systemd service. + webroots = + lib.remove null + (lib.unique + (builtins.map + (certAttrs: certAttrs.webroot) + (lib.attrValues config.security.acme.certs))); in { inherit accountHash cert selfsignedDeps; @@ -288,6 +296,8 @@ let "acme/.lego/accounts/${accountHash}" ]; + ReadWritePaths = commonServiceConfig.ReadWritePaths ++ webroots; + # Needs to be space separated, but can't use a multiline string because that'll include newlines BindPaths = [ "${accountDir}:/tmp/accounts" |