diff options
author | makefu <github@syntax-fehler.de> | 2017-09-06 14:42:41 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2017-09-06 15:27:05 +0200 |
commit | ca54a8616274b0149ce5c77808370f9114229adb (patch) | |
tree | 79e188d5e2092d306cc25e20896b0896f4a603b2 /nixos/modules/services | |
parent | 67651d80bc8baaf09ab91fec8ea423e09107ed8f (diff) | |
download | nixlib-ca54a8616274b0149ce5c77808370f9114229adb.tar nixlib-ca54a8616274b0149ce5c77808370f9114229adb.tar.gz nixlib-ca54a8616274b0149ce5c77808370f9114229adb.tar.bz2 nixlib-ca54a8616274b0149ce5c77808370f9114229adb.tar.lz nixlib-ca54a8616274b0149ce5c77808370f9114229adb.tar.xz nixlib-ca54a8616274b0149ce5c77808370f9114229adb.tar.zst nixlib-ca54a8616274b0149ce5c77808370f9114229adb.zip |
dnscrypt-wrapper module: fix permissions and options
When keys get refreshed a folder with the permissions of the root user get created in the home directory of the user dnscrypt-wrapper. This prevents the service from restarting. In addition to that the parameters of dnscrypt-wrapper have changed in upstream and in the newly packaged software.
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-wrapper.nix | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index 85fac660d52e..23cc92946e41 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -45,7 +45,7 @@ let rotateKeys = '' # check if keys are not expired keyValid() { - fingerprint=$(dnscrypt-wrapper --show-provider-publickey-fingerprint | awk '{print $(NF)}') + fingerprint=$(dnscrypt-wrapper --show-provider-publickey | awk '{print $(NF)}') dnscrypt-proxy --test=${toString (cfg.keys.checkInterval + 1)} \ --resolver-address=127.0.0.1:${toString cfg.port} \ --provider-name=${cfg.providerName} \ @@ -56,9 +56,10 @@ let # archive old keys and restart the service if ! keyValid; then + echo "certificate soon to become invalid; backing up old cert" mkdir -p oldkeys - mv ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key - mv ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt + mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key + mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt systemctl restart dnscrypt-wrapper fi ''; @@ -169,6 +170,7 @@ in { path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy gawk ]; script = rotateKeys; + serviceConfig.User = "dnscrypt-wrapper"; }; |