nixos/acme: Set up webroot as non-root user

2021-01-09 19:34:54 +00:00 · 2021-01-09 19:34:54 +00:00 · 5b4f9c4244
parent a01df7dc46
commit 5b4f9c4244
1 changed files with 8 additions and 10 deletions
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -268,21 +268,19 @@ let
            ${data.postRun}
          fi
        '');
-
-      } // (optionalAttrs (data.webroot != null) {
-        # Lego always tries to create .well-known/acme-challenge, but if webroot is owned
-        # by the wrong user then it will crash and break cert renewal.
-        ExecStartPre = "+" + pkgs.writeShellScript "acme-${cert}-make-webroot" ''
-          mkdir -p '${data.webroot}/.well-known/acme-challenge'
-          cd '${data.webroot}'
-          chown 'acme:${data.group}' . .well-known .well-known/acme-challenge
-        '';
-      });
+      };

      # Working directory will be /tmp
      script = ''
        set -euo pipefail

+        ${optionalString (data.webroot != null) ''
+          # Ensure the webroot exists
+          mkdir -p '${data.webroot}/.well-known/acme-challenge'
+          chown 'acme:${data.group}' ${data.webroot}/{.well-known,.well-known/acme-challenge} \
+          || echo "Please fix the permissions under ${data.webroot}/.well-known/acme-challenge" && exit 1
+        ''}
+
        echo '${domainHash}' > domainhash.txt

        # Check if we can renew