nixos/acme: fix ReadWritePaths for acme-${domain}.service

Currently ReadWritePaths is only sufficiently specificed for
acme-order-renew-${domain}.service, and not acme-${domain}.service. This
results in service failure if specifying the webroot outside of
/var/lib/acme, for example /var/www/challenges:

  acme-example.com-start[1379]: + mkdir -p /var/www/challenges//.well-known/acme-challenge
  acme-example.com-start[1382]: mkdir: cannot create directory ‘/var/www/challenges//.well-known’: Read-only file system
  systemd[1]: acme-example.com.service: Main process exited, code=exited, status=1/FAILURE

Fix it by adding the webroots to ReadWritePaths in the common
serviceConfig, where it can affect both acme-order-renew-${domain}.service
AND acme-${domain}.service.

Avoid adding subdirs of existing ReadWritePaths entries, because
otherwise systemd will fail to set up the services, for example:

  acme-zeroconf.example.test.service: Failed to set up mount namespacing: /run/acme: No such file or directory

(Confusingly, the path shown in the error message isn't necessarily
related to the problematic path.)

0 files changed, 0 insertions, 0 deletions