From d6ca9720ed230b06c7f8c47962237054808310c3 Mon Sep 17 00:00:00 2001
From: ab77 <anton@balena.io>
Date: Fri, 15 Apr 2022 10:38:12 -0700
Subject: [PATCH] Refresh PKI assets from config endpoint

* Fixes #2569
* ensure OpenVPN client always starts with the latest CA certificate
  from API config endpoint as this certificate may have changed and
  we don't want VPN to be down for ~24 hours until os-config is triggered
  by systemd timer

Change-type: minor
---
 .../recipes-connectivity/openvpn/files/openvpn.service           | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-balena-common/recipes-connectivity/openvpn/files/openvpn.service b/meta-balena-common/recipes-connectivity/openvpn/files/openvpn.service
index 9adbd18151..59cb7aaf08 100644
--- a/meta-balena-common/recipes-connectivity/openvpn/files/openvpn.service
+++ b/meta-balena-common/recipes-connectivity/openvpn/files/openvpn.service
@@ -11,6 +11,7 @@ RestartSec=10s
 #Adjust OOMscore to -1000 to disable OOM killing for openvpn
 OOMScoreAdjust=-1000
 PIDFile=/run/openvpn/openvpn.pid
+ExecStartPre=-/bin/systemctl restart os-config
 ExecStart=/usr/sbin/openvpn --writepid /run/openvpn/openvpn.pid --cd /etc/openvpn/ --config /etc/openvpn/openvpn.conf --connect-retry 5 120
 
 [Install]