nixos/acme: Fix cert renewal with built in webserver

Fixes #191794 Lego threw a permission denied error binding to port 80. AmbientCapabilities with CAP_NET_BIND_SERVICE was required. Also added a test for this.
2025-07-13 13:40:28 +03:00 · 2022-09-18 21:27:11 +01:00 · 2022-09-18 21:27:11 +01:00 · 39796cad46
commit 39796cad46
parent 22d41f921f
2 changed files with 21 additions and 1 deletions
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@ -325,6 +325,7 @@ let
        '');
      } // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) {
        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
      };

      # Working directory will be /tmp