20.09: preliminary self-signed certificates fail to generate

[fgaz]

[...]
Oct 29 13:58:26 nixos nixcloud.TLS-acmeSuppliedPreliminary-<snip>-start[528]: Done creating a self signed certificate
Oct 29 13:58:26 nixos nixcloud.TLS-acmeSuppliedPreliminary-<snip>-post-start[728]: cp: cannot stat '/tmp/server.key': No such file or directory

Really weird. The ExecStart didn't fail, so server.key should be there

[fgaz]

Wild guess: when PermissionsStartOnly was deprecated, it was changed to have the same semantics as adding the + prefix to everything except ExecStart. This would mean that the PrivateTmp (acmeSuppliedPreliminary sets it in addition to PermissionsStartOnly) is now ExecStart-specific, breaking the service

[fgaz]

If that's the case, this could be fixed by using RuntimeDirectory or tmpfiles instead.

[fgaz]

Yes, setting RuntimeDirectory and using $RUNTIME_DIRECTORY instead of /tmp in services/TLS does the trick! I'll open a pr

[nh2]

@fgaz What came of this?

[fgaz]

@nh2 I fixed it but forgot to send the patch. Thanks for reminding me, here it is: #74