nixos/acme: Make sure nginx is running before certs are requested

This fixes NixOS#81842 We should probably also fix this for Apache, which recently also learned to use ACME.
arianvp · Apr 14, 2020 · ead51ce · ead51ce
1 parent 3cc8cff
commit ead51ce
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 6 deletions.
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
@@ -691,6 +691,10 @@ in
       wantedBy = [ "multi-user.target" ];
       wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts);
       after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts;
+      # Nginx needs to be started in order to be able to request certificates
+      # (it's hosting the acme challenge after all)
+      # This fixes https://github.com/NixOS/nixpkgs/issues/81842
+      before = map (vhostConfig: "acme-${vhostConfig.serverName}.service") acmeEnabledVhosts;
       stopIfChanged = false;
       preStart = ''
         ${cfg.preStart}

diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
@@ -74,9 +74,6 @@ in import ./make-test-python.nix {
         after = [ "acme-a.example.com.service" ];
         wantedBy = [ "acme-a.example.com.service" ];
       };
-      systemd.services."acme-a.example.com" = {
-        after = [ "nginx.service" ];
-      };
 
       services.nginx.enable = true;
 
@@ -96,9 +93,6 @@ in import ./make-test-python.nix {
           after = [ "acme-b.example.com.service" ];
           wantedBy = [ "acme-b.example.com.service" ];
         };
-        systemd.services."acme-b.example.com" = {
-          after = [ "nginx.service" ];
-        };
         services.nginx.virtualHosts."b.example.com" = {
           enableACME = true;
           forceSSL = true;