dkim: transition to PermissionsStartOnly=false
That's how nixpkgs-unstable is now, so to be compatible with both we have to force that setting. Use systemd tmpfiles to provision directory with correct owner.
This commit is contained in:
parent
93660eabcd
commit
7e718e0e33
1 changed files with 10 additions and 14 deletions
|
@ -40,16 +40,6 @@ let
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains);
|
createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains);
|
||||||
create_dkim_cert =
|
|
||||||
''
|
|
||||||
# Create dkim dir
|
|
||||||
mkdir -p "${cfg.dkimKeyDirectory}"
|
|
||||||
chown ${dkimUser}:${dkimGroup} "${cfg.dkimKeyDirectory}"
|
|
||||||
|
|
||||||
${createAllCerts}
|
|
||||||
|
|
||||||
chown -R ${dkimUser}:${dkimGroup} "${cfg.dkimKeyDirectory}"
|
|
||||||
'';
|
|
||||||
|
|
||||||
keyTable = pkgs.writeText "opendkim-KeyTable"
|
keyTable = pkgs.writeText "opendkim-KeyTable"
|
||||||
(lib.concatStringsSep "\n" (lib.flip map cfg.domains
|
(lib.concatStringsSep "\n" (lib.flip map cfg.domains
|
||||||
|
@ -80,11 +70,17 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users = optionalAttrs (config.services.postfix.user == "postfix") {
|
users.users = optionalAttrs (config.services.postfix.user == "postfix") {
|
||||||
postfix.extraGroups = [ "${config.services.opendkim.group}" ];
|
postfix.extraGroups = [ "${dkimGroup}" ];
|
||||||
};
|
};
|
||||||
systemd.services.opendkim = {
|
systemd.services.opendkim = {
|
||||||
preStart = create_dkim_cert;
|
preStart = lib.mkForce createAllCerts;
|
||||||
serviceConfig.ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
|
serviceConfig = {
|
||||||
|
ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
|
||||||
|
PermissionsStartOnly = lib.mkForce false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '${cfg.dkimKeyDirectory}' - ${dkimUser} ${dkimGroup} - -"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
Loading…
Reference in a new issue