nixos/acme: Make sure nginx is running before certs are requested

This fixes NixOS#81842 We should probably also fix this for Apache, which recently also learned to use ACME.
arianvp · Jun 15, 2020 · 681cc10 · 681cc10
1 parent 60247e8
commit 681cc10
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 6 deletions.
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
@@ -693,6 +693,10 @@ in
       wantedBy = [ "multi-user.target" ];
       wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts);
       after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts;
+      # Nginx needs to be started in order to be able to request certificates
+      # (it's hosting the acme challenge after all)
+      # This fixes https://github.com/NixOS/nixpkgs/issues/81842
+      before = map (vhostConfig: "acme-${vhostConfig.serverName}.service") acmeEnabledVhosts;
       stopIfChanged = false;
       preStart = ''
         ${cfg.preStart}

diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
@@ -71,9 +71,6 @@ in import ./make-test-python.nix ({ lib, ... }: {
         after = [ "acme-a.example.test.service" ];
         wantedBy = [ "acme-a.example.test.service" ];
       };
-      systemd.services."acme-a.example.test" = {
-        after = [ "nginx.service" ];
-      };
 
       services.nginx.enable = true;
 
@@ -93,9 +90,6 @@ in import ./make-test-python.nix ({ lib, ... }: {
           after = [ "acme-b.example.test.service" ];
           wantedBy = [ "acme-b.example.test.service" ];
         };
-        systemd.services."acme-b.example.test" = {
-          after = [ "nginx.service" ];
-        };
         services.nginx.virtualHosts."b.example.test" = {
           enableACME = true;
           forceSSL = true;