nixos/security.acme: Only chmod/chown certificate files when changed. #95498
Conversation
|
Reflecting on these changes, it might be nice to have a way to disable this behavior entirely to not trigger postRun and file watchers unnecessarily. Alternatively, chowning/chmoding more freely could be a feature of this module. I don't see why a user that uses the cert needs to be the one that generates the cert. |
|
I'm now of the opinion that this is a bad way to fix this since it leads to a lot of unnecessary file changes. A better PR is incoming. |
|
I've incorporated some reliable chown/chmodding into #91121, which means that permissions will always be what they should be when the postRun runs, and when KEY_CHANGED is true. I would appreciate a review/test on that PR to see if it fits your use case too. |
|
Ah, yes. This is along the lines of what I came to the conclusion is actually needed. I'll have a look at it. Thanks! |
Motivation for this change
chmod and chowns currently don't set KEY_CHANGED, this breaks setups like mine that rely on chowns in postRun. I made it so that chmod/chown now properly report Changes and therefore trigger a postRun hook call.
Ping @mweinelt since you made the last major logic change here.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)