nixos/acme: Fix postRun in acme certificate being ran at every run

immae · Apr 17, 2020 · 8e88b8d · 8e88b8d
1 parent bcfca55
commit 8e88b8d
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
@@ -349,7 +349,9 @@ in
 
                           # Test that existing cert is older than new cert
                           KEY=${spath}/certificates/${keyName}.key
+                          KEY_CHANGED=no
                           if [ -e $KEY -a $KEY -nt key.pem ]; then
+                            KEY_CHANGED=yes
                             cp -p ${spath}/certificates/${keyName}.key key.pem
                             cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
                             cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
@@ -360,7 +362,10 @@ in
                           chmod ${fileMode} *.pem
                           chown '${data.user}:${data.group}' *.pem
 
-                          ${data.postRun}
+                          if [ "$KEY_CHANGED" = "yes" ]; then
+                            : # noop in case postRun is empty
+                            ${data.postRun}
+                          fi
                         '';
                       in
                         "+${script}";