Merge remote-tracking branch 'origin/master' into staging-next

author: Martin Weinelt <hexa@darmstadt.ccc.de> 2021-10-25 21:03:48 +0200
committer: Martin Weinelt <hexa@darmstadt.ccc.de> 2021-10-25 21:03:48 +0200
commit: a47e0a655462634e012a282c3b1c7054b6042e23 (patch)
tree: 0617100bba1322ff4cd6fd991740de737ffe72c4 /nixos/modules/security
parent: 3db31260169ae2dfa3ac971f3f72c5aebfe784ad (diff)
parent: f790fcd0bea2ef09f436e9d8088cfe2fea2c4c12 (diff)
download: nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar
nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.gz
nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.bz2
nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.lz
nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.xz
nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.zst
nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index f522b7c4128..cfbc8e91903 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -192,6 +192,14 @@ let
       ++ data.extraLegoRenewFlags
     );
 
+    # We need to collect all the ACME webroots to grant them write
+    # access in the systemd service.
+    webroots =
+      lib.remove null
+        (lib.unique
+            (builtins.map
+            (certAttrs: certAttrs.webroot)
+            (lib.attrValues config.security.acme.certs)));
   in {
     inherit accountHash cert selfsignedDeps;
 
@@ -288,6 +296,8 @@ let
           "acme/.lego/accounts/${accountHash}"
         ];
 
+        ReadWritePaths = commonServiceConfig.ReadWritePaths ++ webroots;
+
         # Needs to be space separated, but can't use a multiline string because that'll include newlines
         BindPaths = [
           "${accountDir}:/tmp/accounts"
author	Martin Weinelt <hexa@darmstadt.ccc.de>	2021-10-25 21:03:48 +0200
committer	Martin Weinelt <hexa@darmstadt.ccc.de>	2021-10-25 21:03:48 +0200
commit	a47e0a655462634e012a282c3b1c7054b6042e23 (patch)
tree	0617100bba1322ff4cd6fd991740de737ffe72c4 /nixos/modules/security
parent	3db31260169ae2dfa3ac971f3f72c5aebfe784ad (diff)
parent	f790fcd0bea2ef09f436e9d8088cfe2fea2c4c12 (diff)
download	nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.gz nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.bz2 nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.lz nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.xz nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.tar.zst nixpkgs-a47e0a655462634e012a282c3b1c7054b6042e23.zip