diff options
author | Joey Hewitt <joey@joeyhewitt.com> | 2019-07-06 06:55:52 -0600 |
---|---|---|
committer | Joey Hewitt <joey@joeyhewitt.com> | 2019-07-07 21:47:09 -0600 |
commit | 7e718e0e33cc3a9ae38f88a66d51c36ef44e51cb (patch) | |
tree | 7dcc6ff2f8f919836a7a216ff972c17eb9861bf2 | |
parent | 93660eabcdd6ff2ccc8cb2fecb3ed9098ee3de82 (diff) |
dkim: transition to PermissionsStartOnly=false
That's how nixpkgs-unstable is now, so to be compatible with both we
have to force that setting. Use systemd tmpfiles to provision
directory with correct owner.
-rw-r--r-- | mail-server/opendkim.nix | 24 |
1 files changed, 10 insertions, 14 deletions
diff --git a/mail-server/opendkim.nix b/mail-server/opendkim.nix index d060323..33e2e06 100644 --- a/mail-server/opendkim.nix +++ b/mail-server/opendkim.nix @@ -40,16 +40,6 @@ let fi ''; createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains); - create_dkim_cert = - '' - # Create dkim dir - mkdir -p "${cfg.dkimKeyDirectory}" - chown ${dkimUser}:${dkimGroup} "${cfg.dkimKeyDirectory}" - - ${createAllCerts} - - chown -R ${dkimUser}:${dkimGroup} "${cfg.dkimKeyDirectory}" - ''; keyTable = pkgs.writeText "opendkim-KeyTable" (lib.concatStringsSep "\n" (lib.flip map cfg.domains @@ -80,11 +70,17 @@ in }; users.users = optionalAttrs (config.services.postfix.user == "postfix") { - postfix.extraGroups = [ "${config.services.opendkim.group}" ]; + postfix.extraGroups = [ "${dkimGroup}" ]; }; systemd.services.opendkim = { - preStart = create_dkim_cert; - serviceConfig.ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}"; + preStart = lib.mkForce createAllCerts; + serviceConfig = { + ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}"; + PermissionsStartOnly = lib.mkForce false; + }; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dkimKeyDirectory}' - ${dkimUser} ${dkimGroup} - -" + ]; }; -}
\ No newline at end of file +} |