From 776d236e1512a0725cd7205178815bf494d7ba36 Mon Sep 17 00:00:00 2001
From: Aneesh Agrawal <aneeshusa@gmail.com>
Date: Sun, 25 Oct 2020 20:20:16 -0400
Subject: [PATCH] nixos/acme: Make challenges world readable

By making it world-readable,
this enables setting a `group` for a given cert
that does not include the webserver used for an http-01 challenge.
For example, this allows setting the group to `postgres`
while using `nginx` to serve the challenge,
without having to create a group containing both `postgres` and `nginx`.

Additionally, change the tmpfiles rule
to always create the directory as owned by acme
to avoid duplicate tmpfiles for the same webroot
trying to make it be owned by different groups
(e.g. both `nginx` and `postgres`),
which causes:
```
setting up tmpfiles
/etc/tmpfiles.d/00-nixos.conf:23: Duplicate line for path "/var/lib/acme/acme-challenge/.well-known/acme-challenge", ignoring.
```

The challenge data does not need to be kept private
(as it is world-accessible over HTTP to fulfill the challenge!)
so this is safe to do.

Note that lego already writes any challenge files out as 644,
but the UMask was impeding this by preventing world-readability.
Omitting it will cause us to use systemd's default of 022.

No units should not leak any sensitive data from this:
- minica creates self-signed certs which are not sensitive
  since they won't be trusted
- lego creates account and cert files with 600 permissions.

Note that all units also use PrivateTmp so we only need to consider
files which are directly output into a directory in BindPaths;
they all also chmod their outputs to appropriate permissions,
but that is not sufficient as we don't want any window (i.e. before chmod)
with insecure permissions on relevant files.
---
 nixos/modules/security/acme.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 5732620f290832..a7c551b6a8dd37 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -19,7 +19,6 @@ let
       Type = "oneshot";
       User = "acme";
       Group = mkDefault "acme";
-      UMask = 0027;
       StateDirectoryMode = 750;
       ProtectSystem = "full";
       PrivateTmp = true;
@@ -669,7 +668,7 @@ in {
         "d /var/lib/acme/.lego/accounts - acme acme"
       ] ++ (unique (concatMap (conf: [
           "d ${conf.accountDir} - acme acme"
-        ] ++ (optional (conf.webroot != null) "d ${conf.webroot}/.well-known/acme-challenge - acme ${conf.group}")
+        ] ++ (optional (conf.webroot != null) "d ${conf.webroot}/.well-known/acme-challenge - acme acme")
       ) (attrValues certConfigs)));
 
       # Create some targets which can be depended on to be "active" after cert renewals