From 64a6e8292aa39a664743d20b520173320dcea6bc Mon Sep 17 00:00:00 2001 From: Yuriy Taraday Date: Mon, 4 Nov 2024 15:49:57 +0100 Subject: [PATCH] nixos/acme: Set /var/lib/acme permissions to 755 It was being created with the default home permissions of 700, and then set to 755 at runtime by something either some script or systemd as part of service startup. It worked fine without sysusers, but when it's enabed with: systemd.sysusers.enable = true; systemd-tmpfiles is resetting permissions on each activation, which breaks, for example, nginx reload, because it cannot load certificates anymore, because it doesn't have any access to `/var/lib/acme`. Fix this by setting `homeMode = "755";` explicitely so that it's set to the final value from the beginning. --- nixos/modules/security/acme/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index a9cb396f13fd..5a8ba63f70f5 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -968,6 +968,7 @@ in { users.users.acme = { home = "/var/lib/acme"; + homeMode = "755"; group = "acme"; isSystemUser = true; };