nixos/acme: Fix allowKeysForGroup not applying immediately

Previously setting `allowKeysForGroup = true; group = "foo"` would not apply the group permission change of the certificates until the service gets restarted. This commit fixes this by making systemd restart the service every time it changes. Note that applying this commit to a system with an already running acme systemd service doesn't fix this immediately and you still need to wait for the next refresh (or call `systemctl restart acme-<domain>`). Once everybody's service has restarted once this should be a problem of the past.
brprice · Oct 26, 2019 · 5532065 · 5532065
1 parent 4c0afa1
commit 5532065
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
@@ -210,6 +210,12 @@ in
                   environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";
                   serviceConfig = {
                     Type = "oneshot";
+                    # With RemainAfterExit the service is considered active even
+                    # after the main process having exited, which means when it
+                    # gets changed, the activation phase restarts it, meaning
+                    # the permissions of the StateDirectory get adjusted
+                    # according to the specified group
+                    RemainAfterExit = true;
                     SuccessExitStatus = [ "0" "1" ];
                     User = data.user;
                     Group = data.group;