From c51c677140897f41f4b920ce1141843cdb864ac2 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Wed, 15 Apr 2020 23:10:31 +0200 Subject: [PATCH] Revert "nixos/acme: Fix allowKeysForGroup not applying immediately" This reverts commit 5532065d0690645f0a813fed6e68163b0f4774d4. As far as I can tell setting RemainAfterExit=true here completely breaks certificate renewal, which is really bad! the sytemd timer will activate the service unit every OnCalendar=, however with RemainAfterExit=true the service is already active! So the timer doesn't rerun the service! The commit also broke the actual tests, (As it broke activation too) but this was fixed later in https://github.com/NixOS/nixpkgs/pull/76052 I wrongly assumed that PR fixed renewal too, which it didn't! testing renewals is hard, as we need to sleep in tests. --- nixos/modules/security/acme.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 782a4f96782b9..859e7944166e9 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -297,12 +297,6 @@ in wantedBy = mkIf (!config.boot.isContainer) [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; - # With RemainAfterExit the service is considered active even - # after the main process having exited, which means when it - # gets changed, the activation phase restarts it, meaning - # the permissions of the StateDirectory get adjusted - # according to the specified group - RemainAfterExit = true; User = data.user; Group = data.group; PrivateTmp = true;