diff options
author | Silvan Mosberger <infinisil@icloud.com> | 2019-10-27 00:36:21 +0200 |
---|---|---|
committer | Silvan Mosberger <infinisil@icloud.com> | 2019-10-27 00:49:32 +0200 |
commit | 5532065d0690645f0a813fed6e68163b0f4774d4 (patch) | |
tree | 3be028a4ce689fafcfe5656c8ea4497f4159b32f /nixos/modules/security/acme.nix | |
parent | 4c0afa17702c32f40c70482bd16e47b37b30214e (diff) | |
download | nixlib-5532065d0690645f0a813fed6e68163b0f4774d4.tar nixlib-5532065d0690645f0a813fed6e68163b0f4774d4.tar.gz nixlib-5532065d0690645f0a813fed6e68163b0f4774d4.tar.bz2 nixlib-5532065d0690645f0a813fed6e68163b0f4774d4.tar.lz nixlib-5532065d0690645f0a813fed6e68163b0f4774d4.tar.xz nixlib-5532065d0690645f0a813fed6e68163b0f4774d4.tar.zst nixlib-5532065d0690645f0a813fed6e68163b0f4774d4.zip |
nixos/acme: Fix allowKeysForGroup not applying immediately
Previously setting `allowKeysForGroup = true; group = "foo"` would not apply the group permission change of the certificates until the service gets restarted. This commit fixes this by making systemd restart the service every time it changes. Note that applying this commit to a system with an already running acme systemd service doesn't fix this immediately and you still need to wait for the next refresh (or call `systemctl restart acme-<domain>`). Once everybody's service has restarted once this should be a problem of the past.
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index e08c7e965eef..71ba03b88a38 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -210,6 +210,12 @@ in environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; serviceConfig = { Type = "oneshot"; + # With RemainAfterExit the service is considered active even + # after the main process having exited, which means when it + # gets changed, the activation phase restarts it, meaning + # the permissions of the StateDirectory get adjusted + # according to the specified group + RemainAfterExit = true; SuccessExitStatus = [ "0" "1" ]; User = data.user; Group = data.group; |