nixos/acme: allowKeysForGroup has no effect after cert is already created

[arianvp]

Issue description

1. Changing group or user will not do anything till the next round of refresh
2. Even after refresh, changes to allowKeysForGroup do not actually propagate. The permissions of the key are not changed. Only of the surrounding directory.

Steps to reproduce

1. Create a cert with
   security.acme.certs.<name>.group = "hello";
2. Now change to : security.acme.certs.<name>.group = "world";
3. Afterwards add security.acme.certs.<name>.allowKeysForGroup =true;
4. Observe that the owner is still hello and that there are no group read permissions yet
5. Even after manually refreshing by calling the timer manually, the group did change, by the permission bits still not allow read access to group even if allowKeysForGroup is set

Technical details

Please run nix-shell -p nix-info --run "nix-info -m" and paste the
results.

[infinisil]

Hey I made a PR that fixes this, would love to have somebody else make sure it fixes this problem: #72056

[arianvp]

Lets re-open this issue.

[stale]

Hello, I'm a bot and I thank you in the name of the community for opening this issue.

To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.

If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use Git blame or GitHub's web interface on the relevant files to find them.

Lastly, you can always ask for help at our Discourse Forum or at #nixos' IRC channel.

[arianvp]

wasnt this fixed by the recent bugfix round @m1cr0man ?

[m1cr0man]

Yeah, that option has been removed Infact :P

[m1cr0man]

This option is now gone in favour of always making the certificates group readable and owned by the acme user, and letting users change only the group that will be applied to them. Closing this issue.