From 8e75a44502ec905cc0e439435f3284bca0f3d5cc Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Mon, 30 Jul 2018 15:26:09 +0200
Subject: [PATCH] grant traefik write access to state/acme.json

and ensure the file exists and is private before launching
---
 tljh/systemd-units/traefik.service | 3 ++-
 tljh/traefik.py                    | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/tljh/systemd-units/traefik.service b/tljh/systemd-units/traefik.service
index 48dd9d7..01da967 100644
--- a/tljh/systemd-units/traefik.service
+++ b/tljh/systemd-units/traefik.service
@@ -7,13 +7,14 @@ After=network.target
 [Service]
 User=root
 Restart=always
-# process only needs to write acme.json file, no other files
+# process only needs to write state/acme.json file, no other files
 ProtectHome=tmpfs
 ProtectSystem=strict
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
+ReadWritePaths={install_prefix}/state/acme.json
 WorkingDirectory={install_prefix}/state
 ExecStart={install_prefix}/hub/bin/traefik \
             -c {install_prefix}/state/traefik.toml
diff --git a/tljh/traefik.py b/tljh/traefik.py
index 0c7c1db..cf10ecc 100644
--- a/tljh/traefik.py
+++ b/tljh/traefik.py
@@ -77,3 +77,8 @@ def ensure_traefik_config(state_dir):
     with open(os.path.join(state_dir, "traefik.toml"), "w") as f:
         os.fchmod(f.fileno(), 0o744)
         f.write(new_toml)
+
+    # ensure acme.json exists and is private
+    with open(os.path.join(state_dir, "acme.json"), "a") as f:
+        os.fchmod(f.fileno(), 0o600)
+