cc @immae

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/go-no-go-meeting-nixos-20-03-markhor/6495/20

Unstable and 20.03 tester will suffer from this one, because their ssl keys/certificates are recreated but I want to avoid adding migration logic for those cases to keep complexity low.

I suppose one could symlink /var/lib/acme/.lego/accounts/ to /var/lib/acme/.lego//accounts/ ? Than only one account is created.

Thanks for the job @Mic92

About the suffering, I simply did something like that in startPre (please test it for typos, since I rewrite it from memory, I didn’t keep the hack after applying it):

if [ -d /var/lib/acme/.lego/accounts -a ! -d /var/lib/acme/.lego/${cert}/accounts ]; then
  cp -a /var/lib/acme/.lego/accounts /var/lib/acme/.lego/${cert}/accounts
fi
if [ -d /var/lib/acme/.lego/certificates -a ! -d /var/lib/acme/.lego/${cert}/certificates ]; then
  mkdir -p /var/lib/acme/.lego/${cert}/certificates
  cp -a /var/lib/acme/.lego/certificates/${data.domain}.* /var/lib/acme/.lego/${cert}/certificates/
fi
chown -R ${data.user}:${data.group} /var/lib/acme/.lego/${cert}/

Also note that, since we have to separate the directories anyway, I decided to use /var/lib/acme/${cert}/.lego rather than /var/lib/acme/.lego/${cert} to keep everything related to a certificate in a single directory. You might want to change your code considering that...

EDIT: I missed part of your message that you didn’t want migration logic. The second paragraph still stands though

I agree with @Mic92 on not introducing migration code to handle migrations from the current lego folders to the new locations after this PR, especially as it's just a matter of re-requesting certificates.

I don't have a super strong opinion on /var/lib/acme/.lego/${cert}/ vs. /var/lib/acme/${cert}/.lego/ - both have its advantages and disadvantages.

I think the structure propose here is a bit better, considering there might very well be another LE client in the future that does support multiple certificates with the same common name properly.

I agree with @Mic92 on not introducing migration code to handle migrations from the current lego folders to the new locations after this PR, especially as it's just a matter of re-requesting certificates.

Well, rate limiting is an important thing with acme certificates (you can say "you’re using an unstable channel, it’s your problem", and you’d be totally right - that’s why I’m not pushing for a migration code - but it’s still an issue to some people :) )

Yeah. I expect people tracking unstable to be able to workaround these issues, and potentially apply a workaround as proposed above during the migration.

One can add the following snippet to their configuration.nix to add the migration code:

  systemd.services = lib.mapAttrs' (cert: data:  {
    name = "acme-${cert}";
    value = {
      preStart = ''
        if [ -d /var/lib/acme/.lego/accounts -a -! -d /var/lib/acme/.lego/${cert}/accounts ]; then
          cp -a /var/lib/acme/.lego/accounts /var/lib/acme/.lego/${cert}/accounts
        fi
        if [ -d /var/lib/acme/.lego/certificates -a -! -d /var/lib/acme/.lego/${cert}/certificates ]; then
          mkdir -p /var/lib/acme/.lego/${cert}/certificates
          cp -a /var/lib/acme/.lego/certificates/${data.domain}.* /var/lib/acme/.lego/${cert}/certificates/
        fi
        chown -R ${data.user}:${data.group} /var/lib/acme/.lego/${cert}/
      '';
    };
  }) config.security.acme.certs;

I might announce that in a discourse post.

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-acme-action-required-on-unstable-or-20-03-pre-release/6629/1

20.03 backport: 377b024