dkim: transition to PermissionsStartOnly=false

That's how nixpkgs-unstable is now, so to be compatible with both we
have to force that setting. Use systemd tmpfiles to provision
directory with correct owner.
This commit is contained in:
Joey Hewitt 2019-07-06 06:55:52 -06:00
parent 93660eabcd
commit 7e718e0e33

View file

@ -40,16 +40,6 @@ let
fi fi
''; '';
createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains); createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains);
create_dkim_cert =
''
# Create dkim dir
mkdir -p "${cfg.dkimKeyDirectory}"
chown ${dkimUser}:${dkimGroup} "${cfg.dkimKeyDirectory}"
${createAllCerts}
chown -R ${dkimUser}:${dkimGroup} "${cfg.dkimKeyDirectory}"
'';
keyTable = pkgs.writeText "opendkim-KeyTable" keyTable = pkgs.writeText "opendkim-KeyTable"
(lib.concatStringsSep "\n" (lib.flip map cfg.domains (lib.concatStringsSep "\n" (lib.flip map cfg.domains
@ -80,11 +70,17 @@ in
}; };
users.users = optionalAttrs (config.services.postfix.user == "postfix") { users.users = optionalAttrs (config.services.postfix.user == "postfix") {
postfix.extraGroups = [ "${config.services.opendkim.group}" ]; postfix.extraGroups = [ "${dkimGroup}" ];
}; };
systemd.services.opendkim = { systemd.services.opendkim = {
preStart = create_dkim_cert; preStart = lib.mkForce createAllCerts;
serviceConfig.ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}"; serviceConfig = {
ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
PermissionsStartOnly = lib.mkForce false;
}; };
}; };
systemd.tmpfiles.rules = [
"d '${cfg.dkimKeyDirectory}' - ${dkimUser} ${dkimGroup} - -"
];
};
} }