Is this directory meant to be created by systemd? I don't understand
how the tmpfiles.conf file is suppose to work. The stock configuration
in git has this line commented out so out-of-the-box it will just
launch, and this can be enabled if people want it.
The tmpfiles format is documented in tmpfiles.d(5). Basically, it will
guarantee that directory tree is created on boot (and when installing
the package). This is so that HTTP validation works outside the box. If
the user configures certbot to use DNS validation, those three
directories have been created in vain, but that's fine.
For the AUR package, I print a message to the user to configure certbot
HTTP validation to point to that top directory.
I generally encourage people to use the DNS based ACME challenge.
+# Security+DynamicUser=yes+ProtectHome=tmpfs+PrivateDevices=yes+ProtectHostname=yes+## No need to be able to bind to sockets+CapabilityBoundingSet=+RestrictNamespaces=
diff --git a/systemd/tls-redirector.socket b/systemd/tls-redirector.socket
index ffc8c67..0c4d70c 100644
--- a/systemd/tls-redirector.socket+++ b/systemd/tls-redirector.socket
@@ -1,5 +1,5 @@
-Description=TLS Redirector Port 80 (socket)+Description=TLS Redirector SocketAfter=network.target
diff --git a/systemd/tls-redirector.tmpfiles.conf b/systemd/tls-redirector.tmpfiles.conf
new file mode 100644
--- /dev/null+++ b/systemd/tls-redirector.tmpfiles.conf
@@ -0,0 +1,4 @@
+#Type Path Mode User Group Age Argument+d %C/acme-challenge 0755 - - - -+d %C/acme-challenge/.well-known 0755 - - - -+d %C/acme-challenge/.well-known/acme-challenge 0755 - - - -
Sorry for the delay in getting back to you.
This patch looks good - thank you for sending it. I'd like to merge
most of the changes like DynamicUser but I have a few questions about
how HTTP ACME challenges are done now.
December 22, 2020 7:07 PM, "somini" <email@example.com> wrote: