Set default ACME_DIRECTORY for Docker installs to somewhere in a volume

[Sainan]

With the previous default, ACME certificates and accounts would be lost upon restarting the container because only the /data folder is bound to a (writable) volume in the suggested docker-compose.yml from the docs.

Closes https://gitea.com/gitea/docs/issues/292

[wxiaoguang]

Like #35854 (review) and our discord discussion, I think we need to have a complete solution but not add more patches.

The directory problem is a general problem for all users, but not only Docker users.

There are already enough legacy problems, if we keep adding patches, after many years the new users would still complain: why that decision was made.

[Sainan]

I understand not wanting to merge #35854, but this one is a brutal issue that affects only Docker users, and I think should be merged, even you think there's a long-term better solution.

[wxiaoguang]

but this one is a brutal issue that affects only Docker users,

All users are affected. It shouldn't use WORK_PATH, see the discord discussion: if the Gitea binary is put into /usr/local/bin and run it there, it is not able to (and shouldn't) create /usr/local/bin/https

[Sainan]

But it's not using WORK_PATH? If it were https relative to the WORK_PATH, then in my case it would be /data/gitea/https, which clearly isn't the folder it's using.

Also, do you have an issue number tracking the work on the 'proper' breaking change?

[wxiaoguang]

But it's not using WORK_PATH? If it were https relative to the WORK_PATH, then in my case it would be /data/gitea/https, which clearly isn't the folder it's using.

It is more complicated than that. To "guess" a work path, see modules/setting/path.go and its tests.

Also, do you have an issue number tracking the work on the 'proper' breaking change?

No from my side at the moment.

[Sainan]

Then I'm going to keep this PR open because exceeding the Let's Encrypt rate-limit just from restarting Gitea a few times is a stupid problem to have.

[TheFox0x7]

Actually.. would the proper fix be a breaking change? If you have ACME enabled it should just pull new certs into (now proper) directory. If you don't there's no impact and if you used a custom dir the fixed default won't apply?

[Sainan]

Hmm, good point. It would require reissuing new certificates for existing instances (with default ACME_DIRECTORY) but I guess that's about it.

[wxiaoguang]

OK, let me break the legacy buggy behavior ..... will make some changes in this PR

[Sainan]

No need to reuse my branch/PR haha

[wxiaoguang]

No need to reuse my branch/PR haha

I just think we don't need to open too many PRs.

If you'd like to close this one, feel free to close it, and then I will open a new one.