From 920a3f5a9d0d603b2435bac2c58d76ab784fcddd Mon Sep 17 00:00:00 2001 From: Lucas Savva Date: Mon, 15 Mar 2021 01:33:45 +0000 Subject: nixos/acme: Fix webroot issues With the UMask set to 0023, the mkdir -p command which creates the webroot could end up unreadable if the web server changes, as surfaced by the test suite in #114751 On top of this, the following commands to chown the webroot + subdirectories was mostly unnecessary. I stripped it back to only fix the deepest part of the directory, resolving #115976, and reintroduced a human readable error message. --- nixos/modules/security/acme.nix | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'nixos/modules/security/acme.nix') diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index c33a92580d4..5881e5f98d0 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -24,7 +24,7 @@ let Type = "oneshot"; User = "acme"; Group = mkDefault "acme"; - UMask = 0023; + UMask = 0022; StateDirectoryMode = 750; ProtectSystem = "full"; PrivateTmp = true; @@ -275,9 +275,15 @@ let set -euxo pipefail ${optionalString (data.webroot != null) '' - # Ensure the webroot exists - mkdir -p '${data.webroot}/.well-known/acme-challenge' - chown 'acme:${data.group}' ${data.webroot}/{.well-known,.well-known/acme-challenge} + # Ensure the webroot exists. Fixing group is required in case configuration was changed between runs. + # Lego will fail if the webroot does not exist at all. + ( + mkdir -p '${data.webroot}/.well-known/acme-challenge' \ + && chgrp '${data.group}' ${data.webroot}/.well-known/acme-challenge + ) || ( + echo 'Please ensure ${data.webroot}/.well-known/acme-challenge exists and is writable by acme:${data.group}' \ + && exit 1 + ) ''} echo '${domainHash}' > domainhash.txt -- cgit 1.4.1