@ -7,6 +7,11 @@ let
numCerts = length ( builtins . attrNames cfg . certs ) ;
_24hSecs = 60 * 60 * 24 ;
# Used to make unique paths for each cert/account config set
mkHash = with builtins ; val : substring 0 20 ( hashString " s h a 2 5 6 " val ) ;
mkAccountHash = acmeServer : data : mkHash " ${ toString acmeServer } ${ data . keyType } ${ data . email } " ;
accountDirRoot = " / v a r / l i b / a c m e / . l e g o / a c c o u n t s / " ;
# There are many services required to make cert renewals work.
# They all follow a common structure:
# - They inherit this commonServiceConfig
@ -101,11 +106,10 @@ let
$ { toString acmeServer } $ { toString data . dnsProvider }
$ { toString data . ocspMustStaple } $ { data . keyType }
'' ;
mkHash = with builtins ; val : substring 0 20 ( hashString " s h a 2 5 6 " val ) ;
certDir = mkHash hashData ;
domainHash = mkHash " ${ concatStringsSep " " extraDomains } ${ data . domain } " ;
others Hash = mkHash " ${ toString acmeServer } ${ data . keyType } ${ data . email } " ;
accountDir = " / v a r / l i b / a c m e / . l e g o / a c c o u n t s / " + others Hash;
acc oun tHash = ( mkAccountHash acmeServer data ) ;
accountDir = accountDirRoot + account Hash;
protocolOpts = if useDns then (
[ " - - d n s " data . dnsProvider ]
@ -142,7 +146,7 @@ let
) ;
in {
inherit accountDir selfsignedDeps ;
inherit accountHash account Dir cert selfsignedDeps ;
webroot = data . webroot ;
group = data . group ;
@ -253,8 +257,7 @@ let
echo ' $ { domainHash } ' > domainhash . txt
# Check if we can renew
# Certificates and account credentials must exist
if [ - e ' certificates / $ { keyName } . key' - a - e ' certificates / $ { keyName } . crt' - a " $ ( l s - 1 a c c o u n t s ) " ] ; then
if [ - e ' certificates / $ { keyName } . key' - a - e ' certificates / $ { keyName } . crt' - a - n " $ ( l s - 1 a c c o u n t s ) " ] ; then
# When domains are updated, there's no need to do a full
# Lego run, but it's likely renew won't work if days is too low.
@ -670,15 +673,32 @@ in {
" d / v a r / l i b / a c m e / . l e g o / a c c o u n t s - a c m e a c m e "
] ++ ( unique ( concatMap ( conf : [
" d ${ conf . accountDir } - a c m e a c m e "
] ++ ( optional ( conf . webroot != null ) " d ${ conf . webroot } / . w e l l - k n o w n / a c m e - c h a l l e n g e - a c m e ${ conf . group } " )
] ++ ( optionals ( conf . webroot != null ) [
" d ${ conf . webroot } - a c m e ${ conf . group } "
" d ${ conf . webroot } / . w e l l - k n o w n - a c m e ${ conf . group } "
" d ${ conf . webroot } / . w e l l - k n o w n / a c m e - c h a l l e n g e - a c m e ${ conf . group } "
] )
) ( attrValues certConfigs ) ) ) ;
# Create some targets which can be depended on to be "active" after cert renewals
systemd . targets = mapAttrs' ( cert : conf : nameValuePair " a c m e - f i n i s h e d - ${ cert } " {
wantedBy = [ " d e f a u l t . t a r g e t " ] ;
requires = [ " a c m e - ${ cert } . s e r v i c e " ] ++ conf . selfsignedDeps ;
after = [ " a c m e - ${ cert } . s e r v i c e " ] ++ conf . selfsignedDeps ;
} ) certConfigs ;
systemd . targets = let
# Create some targets which can be depended on to be "active" after cert renewals
finishedTargets = mapAttrs' ( cert : conf : nameValuePair " a c m e - f i n i s h e d - ${ cert } " {
wantedBy = [ " d e f a u l t . t a r g e t " ] ;
requires = [ " a c m e - ${ cert } . s e r v i c e " ] ++ conf . selfsignedDeps ;
after = [ " a c m e - ${ cert } . s e r v i c e " ] ++ conf . selfsignedDeps ;
} ) certConfigs ;
# Create targets to limit the number of simultaneous account creations
accountTargets = mapAttrs' ( hash : confs : let
leader = " a c m e - ${ ( builtins . head confs ) . cert } . s e r v i c e " ;
dependantServices = map ( conf : " a c m e - ${ conf . cert } . s e r v i c e " ) ( builtins . tail confs ) ;
in nameValuePair " a c m e - a c c o u n t - ${ hash } " {
requiredBy = dependantServices ;
before = dependantServices ;
requires = [ leader ] ;
after = [ leader ] ;
} ) ( groupBy ( conf : conf . accountHash ) ( attrValues certConfigs ) ) ;
in finishedTargets // accountTargets ;
} )
] ;