From 7e718e0e33cc3a9ae38f88a66d51c36ef44e51cb Mon Sep 17 00:00:00 2001 From: Joey Hewitt Date: Sat, 6 Jul 2019 06:55:52 -0600 Subject: [PATCH] dkim: transition to PermissionsStartOnly=false That's how nixpkgs-unstable is now, so to be compatible with both we have to force that setting. Use systemd tmpfiles to provision directory with correct owner. --- mail-server/opendkim.nix | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/mail-server/opendkim.nix b/mail-server/opendkim.nix index d060323..33e2e06 100644 --- a/mail-server/opendkim.nix +++ b/mail-server/opendkim.nix @@ -40,16 +40,6 @@ let fi ''; createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains); - create_dkim_cert = - '' - # Create dkim dir - mkdir -p "${cfg.dkimKeyDirectory}" - chown ${dkimUser}:${dkimGroup} "${cfg.dkimKeyDirectory}" - - ${createAllCerts} - - chown -R ${dkimUser}:${dkimGroup} "${cfg.dkimKeyDirectory}" - ''; keyTable = pkgs.writeText "opendkim-KeyTable" (lib.concatStringsSep "\n" (lib.flip map cfg.domains @@ -80,11 +70,17 @@ in }; users.users = optionalAttrs (config.services.postfix.user == "postfix") { - postfix.extraGroups = [ "${config.services.opendkim.group}" ]; + postfix.extraGroups = [ "${dkimGroup}" ]; }; systemd.services.opendkim = { - preStart = create_dkim_cert; - serviceConfig.ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}"; + preStart = lib.mkForce createAllCerts; + serviceConfig = { + ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}"; + PermissionsStartOnly = lib.mkForce false; + }; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dkimKeyDirectory}' - ${dkimUser} ${dkimGroup} - -" + ]; }; -} \ No newline at end of file +}