nixos/acme: Docs, explain how to set permissions

As of 20.09 the /var/lib/acme/.challenges permissions will not automatically be correct. Add instructions on how to set them correctly.
2020-10-12 19:26:00 +01:00 · 2020-10-12 19:26:00 +01:00 · d95f020a53
commit d95f020a53
parent 0b5d5d6828
1 changed files with 7 additions and 3 deletions
--- a/nixos/modules/security/acme.xml
+++ b/nixos/modules/security/acme.xml
@ -115,15 +115,18 @@ services.nginx = {
 <programlisting>
 <xref linkend="opt-security.acme.acceptTerms" /> = true;
 <xref linkend="opt-security.acme.email" /> = "admin+acme@example.com";
+
+# /var/lib/acme/.challenges must be writable by the ACME user
+# and readable by the Nginx user. The easiest way to achieve
+# this is to add the Nginx user to the ACME group.
+<link linkend="users.users._name_.extraGroups">users.users.nginx.extraGroups</link> = [ "acme" ];
+
 services.nginx = {
  <link linkend="opt-services.nginx.enable">enable</link> = true;
  <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
    "acmechallenge.example.com" = {
      # Catchall vhost, will redirect users to HTTPS for all vhosts
      <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "*.example.com" ];
-      # /var/lib/acme/.challenges must be writable by the ACME user
-      # and readable by the Nginx user.
-      # By default, this is the case.
      locations."/.well-known/acme-challenge" = {
        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/lib/acme/.challenges";
      };
@ -134,6 +137,7 @@ services.nginx = {
  };
 }
 # Alternative config for Apache
+<link linkend="users.users._name_.extraGroups">users.users.wwwrun.extraGroups</link> = [ "acme" ];
 services.httpd = {
  <link linkend="opt-services.httpd.enable">enable = true;</link>
  <link linkend="opt-services.httpd.virtualHosts">virtualHosts</link> = {