nixos/acme: Make sure nginx is running before certs are requested

This fixes https://github.com/NixOS/nixpkgs/issues/81842 We should probably also fix this for Apache, which recently also learned to use ACME.
2020-04-14 14:55:05 +02:00 · 2020-04-14 14:55:05 +02:00 · 681cc105ce
commit 681cc105ce
parent 60247e8560
2 changed files with 4 additions and 6 deletions
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -693,6 +693,10 @@ in
      wantedBy = [ "multi-user.target" ];
      wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts);
      after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts;
+      # Nginx needs to be started in order to be able to request certificates
+      # (it's hosting the acme challenge after all)
+      # This fixes https://github.com/NixOS/nixpkgs/issues/81842
+      before = map (vhostConfig: "acme-${vhostConfig.serverName}.service") acmeEnabledVhosts;
      stopIfChanged = false;
      preStart = ''
        ${cfg.preStart}
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@ -71,9 +71,6 @@ in import ./make-test-python.nix ({ lib, ... }: {
        after = [ "acme-a.example.test.service" ];
        wantedBy = [ "acme-a.example.test.service" ];
      };
-      systemd.services."acme-a.example.test" = {
-        after = [ "nginx.service" ];
-      };

      services.nginx.enable = true;

@ -93,9 +90,6 @@ in import ./make-test-python.nix ({ lib, ... }: {
          after = [ "acme-b.example.test.service" ];
          wantedBy = [ "acme-b.example.test.service" ];
        };
-        systemd.services."acme-b.example.test" = {
-          after = [ "nginx.service" ];
-        };
        services.nginx.virtualHosts."b.example.test" = {
          enableACME = true;
          forceSSL = true;