From 56a7bc05e1265a2ef964f25a5df2de2f1f776df2 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 24 Aug 2019 16:52:17 +0200 Subject: [PATCH] nixos/treewide: drop dependencies to `keys.target` The `keys.target` is used to indicate whether all NixOps keys were successfully uploaded on an unattended reboot. However this can cause startup issues e.g. with NixOS containers (see #67265) and can block boots even though this might not be needed (e.g. with a dovecot2 instance running that doesn't need any of the NixOps keys). As described in the NixOps manual[1], dependencies to keys should be defined like this now: ``` nix { systemd.services.myservice = { after = [ "secret-key.service" ]; wants = [ "secret-key.service" ]; }; } ``` However I'd leave the issue open until it's discussed whether or not to keep `keys.target` in `nixpkgs`. [1] https://nixos.org/nixops/manual/#idm140737322342384 --- nixos/doc/manual/release-notes/rl-1909.xml | 20 +++++++++++++++++++ nixos/modules/services/mail/dovecot.nix | 3 +-- nixos/modules/services/networking/nsd.nix | 3 +-- .../modules/services/networking/softether.nix | 2 -- .../networking/strongswan-swanctl/module.nix | 5 ++--- .../services/networking/strongswan.nix | 3 +-- .../web-servers/apache-httpd/default.nix | 3 +-- 7 files changed, 26 insertions(+), 13 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 6493bb995967..93cc1f2a1384 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -291,6 +291,26 @@ configuration while being better type-checked and mergeable. + + + No service depends on keys.target anymore which is a systemd + target that indicates if all NixOps keys were successfully uploaded. + Instead, <key-name>-key.service should be used to define + a dependency of a key in a service. The full issue behind the keys.target + dependency is described at NixOS/nixpkgs#67265. + + + The following services are affected by this: + + services.dovecot2 + services.nsd + services.softether + services.strongswan + services.strongswan-swanctl + services.httpd + + + diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 139011dca23a..cdbb776454b6 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -344,8 +344,7 @@ in systemd.services.dovecot2 = { description = "Dovecot IMAP/POP3 server"; - after = [ "keys.target" "network.target" ]; - wants = [ "keys.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ cfg.configFile ]; diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 8b918dab86dd..c69b77f9deec 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -916,9 +916,8 @@ in systemd.services.nsd = { description = "NSD authoritative only domain name service"; - after = [ "keys.target" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - wants = [ "keys.target" ]; serviceConfig = { ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf"; diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix index 0046dcd366fa..65df93a00da9 100644 --- a/nixos/modules/services/networking/softether.nix +++ b/nixos/modules/services/networking/softether.nix @@ -70,8 +70,6 @@ in systemd.services."softether-init" = { description = "SoftEther VPN services initial task"; - after = [ "keys.target" ]; - wants = [ "keys.target" ]; wantedBy = [ "network.target" ]; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix index 817b5ec55f78..0fec3ef00ad9 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/module.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -62,9 +62,8 @@ in { systemd.services.strongswan-swanctl = { description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" "keys.target" ]; - wants = [ "keys.target" ]; - path = with pkgs; [ kmod iproute iptables utillinux ]; + after = [ "network-online.target" ]; + path = with pkgs; [ kmod iproute iptables utillinux ]; environment = { STRONGSWAN_CONF = pkgs.writeTextFile { name = "strongswan.conf"; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 41b69039ba7a..4ff9c486059c 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -151,8 +151,7 @@ in description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux - wants = [ "keys.target" ]; - after = [ "network-online.target" "keys.target" ]; + after = [ "network-online.target" ]; environment = { STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 12200c879beb..098160ee3692 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -670,8 +670,7 @@ in { description = "Apache HTTPD"; wantedBy = [ "multi-user.target" ]; - wants = [ "keys.target" ]; - after = [ "network.target" "fs.target" "keys.target" ]; + after = [ "network.target" "fs.target" ]; path = [ httpd pkgs.coreutils pkgs.gnugrep ]