From 5b4f9c42442545ea0352e4cb776a0f94074fca5b Mon Sep 17 00:00:00 2001
From: Lucas Savva <lucas@m1cr0man.com>
Date: Sat, 9 Jan 2021 19:34:54 +0000
Subject: [PATCH] nixos/acme: Set up webroot as non-root user

---
 nixos/modules/security/acme.nix | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index bf748d16821..b0f2f7265c5 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -268,21 +268,19 @@ let
             ${data.postRun}
           fi
         '');
-
-      } // (optionalAttrs (data.webroot != null) {
-        # Lego always tries to create .well-known/acme-challenge, but if webroot is owned
-        # by the wrong user then it will crash and break cert renewal.
-        ExecStartPre = "+" + pkgs.writeShellScript "acme-${cert}-make-webroot" ''
-          mkdir -p '${data.webroot}/.well-known/acme-challenge'
-          cd '${data.webroot}'
-          chown 'acme:${data.group}' . .well-known .well-known/acme-challenge
-        '';
-      });
+      };
 
       # Working directory will be /tmp
       script = ''
         set -euo pipefail
 
+        ${optionalString (data.webroot != null) ''
+          # Ensure the webroot exists
+          mkdir -p '${data.webroot}/.well-known/acme-challenge'
+          chown 'acme:${data.group}' ${data.webroot}/{.well-known,.well-known/acme-challenge} \
+          || echo "Please fix the permissions under ${data.webroot}/.well-known/acme-challenge" && exit 1
+        ''}
+
         echo '${domainHash}' > domainhash.txt
 
         # Check if we can renew