nixos/treewide: drop dependencies to keys.target
The `keys.target` is used to indicate whether all NixOps keys were successfully uploaded on an unattended reboot. However this can cause startup issues e.g. with NixOS containers (see #67265) and can block boots even though this might not be needed (e.g. with a dovecot2 instance running that doesn't need any of the NixOps keys). As described in the NixOps manual[1], dependencies to keys should be defined like this now: ``` nix { systemd.services.myservice = { after = [ "secret-key.service" ]; wants = [ "secret-key.service" ]; }; } ``` However I'd leave the issue open until it's discussed whether or not to keep `keys.target` in `nixpkgs`. [1] https://nixos.org/nixops/manual/#idm140737322342384
This commit is contained in:
parent
c09bc3e7e2
commit
56a7bc05e1
7 changed files with 26 additions and 13 deletions
|
@ -291,6 +291,26 @@
|
|||
configuration while being better type-checked and mergeable.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
No service depends on <literal>keys.target</literal> anymore which is a systemd
|
||||
target that indicates if all <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps keys</link> were successfully uploaded.
|
||||
Instead, <literal><key-name>-key.service</literal> should be used to define
|
||||
a dependency of a key in a service. The full issue behind the <literal>keys.target</literal>
|
||||
dependency is described at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
|
||||
</para>
|
||||
<para>
|
||||
The following services are affected by this:
|
||||
<itemizedlist>
|
||||
<listitem><para><link linkend="opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link></para></listitem>
|
||||
<listitem><para><link linkend="opt-services.nsd.enable"><literal>services.nsd</literal></link></para></listitem>
|
||||
<listitem><para><link linkend="opt-services.softether.enable"><literal>services.softether</literal></link></para></listitem>
|
||||
<listitem><para><link linkend="opt-services.strongswan.enable"><literal>services.strongswan</literal></link></para></listitem>
|
||||
<listitem><para><link linkend="opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link></para></listitem>
|
||||
<listitem><para><link linkend="opt-services.httpd.enable"><literal>services.httpd</literal></link></para></listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
|
|
@ -344,8 +344,7 @@ in
|
|||
systemd.services.dovecot2 = {
|
||||
description = "Dovecot IMAP/POP3 server";
|
||||
|
||||
after = [ "keys.target" "network.target" ];
|
||||
wants = [ "keys.target" ];
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
restartTriggers = [ cfg.configFile ];
|
||||
|
||||
|
|
|
@ -916,9 +916,8 @@ in
|
|||
systemd.services.nsd = {
|
||||
description = "NSD authoritative only domain name service";
|
||||
|
||||
after = [ "keys.target" "network.target" ];
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "keys.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";
|
||||
|
|
|
@ -70,8 +70,6 @@ in
|
|||
|
||||
systemd.services."softether-init" = {
|
||||
description = "SoftEther VPN services initial task";
|
||||
after = [ "keys.target" ];
|
||||
wants = [ "keys.target" ];
|
||||
wantedBy = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
|
|
|
@ -62,9 +62,8 @@ in {
|
|||
systemd.services.strongswan-swanctl = {
|
||||
description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network-online.target" "keys.target" ];
|
||||
wants = [ "keys.target" ];
|
||||
path = with pkgs; [ kmod iproute iptables utillinux ];
|
||||
after = [ "network-online.target" ];
|
||||
path = with pkgs; [ kmod iproute iptables utillinux ];
|
||||
environment = {
|
||||
STRONGSWAN_CONF = pkgs.writeTextFile {
|
||||
name = "strongswan.conf";
|
||||
|
|
|
@ -151,8 +151,7 @@ in
|
|||
description = "strongSwan IPSec Service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux
|
||||
wants = [ "keys.target" ];
|
||||
after = [ "network-online.target" "keys.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
environment = {
|
||||
STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
|
||||
};
|
||||
|
|
|
@ -670,8 +670,7 @@ in
|
|||
{ description = "Apache HTTPD";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "keys.target" ];
|
||||
after = [ "network.target" "fs.target" "keys.target" ];
|
||||
after = [ "network.target" "fs.target" ];
|
||||
|
||||
path =
|
||||
[ httpd pkgs.coreutils pkgs.gnugrep ]
|
||||
|
|
Loading…
Reference in a new issue