From d95f020a5316fd1680c641d7f8283bcbc215c0d9 Mon Sep 17 00:00:00 2001 From: Lucas Savva Date: Mon, 12 Oct 2020 19:26:00 +0100 Subject: [PATCH] nixos/acme: Docs, explain how to set permissions As of 20.09 the /var/lib/acme/.challenges permissions will not automatically be correct. Add instructions on how to set them correctly. --- nixos/modules/security/acme.xml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 17e94bc12fb2..e3ce643e920f 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -115,15 +115,18 @@ services.nginx = { = true; = "admin+acme@example.com"; + +# /var/lib/acme/.challenges must be writable by the ACME user +# and readable by the Nginx user. The easiest way to achieve +# this is to add the Nginx user to the ACME group. +users.users.nginx.extraGroups = [ "acme" ]; + services.nginx = { enable = true; virtualHosts = { "acmechallenge.example.com" = { # Catchall vhost, will redirect users to HTTPS for all vhosts serverAliases = [ "*.example.com" ]; - # /var/lib/acme/.challenges must be writable by the ACME user - # and readable by the Nginx user. - # By default, this is the case. locations."/.well-known/acme-challenge" = { root = "/var/lib/acme/.challenges"; }; @@ -134,6 +137,7 @@ services.nginx = { }; } # Alternative config for Apache +users.users.wwwrun.extraGroups = [ "acme" ]; services.httpd = { enable = true; virtualHosts = {