nixos/acme: add webroots to ReadWritePaths

Since 7a10478ea7, all /var except /var/lib/acme gets mounted in a read-only fashion. This behavior breaks the existing acme deployments having a webroot set outside of /var/lib/acme. Collecting the webroots and adding them to the paths read/write mounted to the systemd service runtime tree. Fixes #139310
2024-11-10 16:45:51 +03:00 · 2021-09-24 13:09:37 +02:00 · 2021-09-24 13:09:37 +02:00 · 73846b372f
commit 73846b372f
parent 1a6a4817e8
1 changed files with 10 additions and 0 deletions
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -192,6 +192,14 @@ let
      ++ data.extraLegoRenewFlags
    );

+    # We need to collect all the ACME webroots to grant them write
+    # access in the systemd service.
+    webroots =
+      lib.remove null
+        (lib.unique
+            (builtins.map
+            (certAttrs: certAttrs.webroot)
+            (lib.attrValues config.security.acme.certs)));
  in {
    inherit accountHash cert selfsignedDeps;

@ -288,6 +296,8 @@ let
          "acme/.lego/accounts/${accountHash}"
        ];

+        ReadWritePaths = commonServiceConfig.ReadWritePaths ++ webroots;
+
        # Needs to be space separated, but can't use a multiline string because that'll include newlines
        BindPaths = [
          "${accountDir}:/tmp/accounts"