From bb80d107d5e3f7cf34b135d1eb0f35181031a24d Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 25 Feb 2023 17:54:47 +0100 Subject: [PATCH] mailman: trigger postfix reload when caddy renews TLS Let's Encrypt certificates --- hosts/flora-6/mailman.nix | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/hosts/flora-6/mailman.nix b/hosts/flora-6/mailman.nix index 2ac2dbc7..97f1173d 100644 --- a/hosts/flora-6/mailman.nix +++ b/hosts/flora-6/mailman.nix @@ -29,6 +29,31 @@ in { hostname = "list.pub.solar"; }; + systemd.paths.watcher-caddy-ssl-file = { + description = "Watches for changes in caddy's TLS cert file (after renewals) to reload postfix"; + documentation = "systemd.path(5)"; + partOf = ["postfix-reload.service"]; + pathConfig = { + PathChanged = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.crt"; + Unit = "postfix-reload.service"; + }; + wantedBy = ["multi-user.target"]; + }; + + systemd.services."postfix-reload" = { + description = "Reloads postfix config, e.g. after TLS certs change, notified by watcher-caddy-ssl-file.path"; + documentation = "systemd.path(5)"; + requires = ["postfix.service"]; + after = ["postfix.service"]; + startLimitIntervalSec = 10; + startLimitBurst = 5; + serviceConfig.Type = "oneshot"; + script = '' + ${pkgs.systemd}/bin/systemctl reload postfix + ''; + wantedBy = ["multi-user.target"]; + }; + services.mailman = { enable = true; # We use caddy instead of nginx