nixos/nginx: move configuration testing script into reload command

nginx -t not only verifies configuration, but also creates (and chowns) files. When the `nginx-config-reload` service is used, this can cause directories to be chowned to `root`, causing nginx to fail. This moves the nginx -t command into a second ExecReload command, which runs as nginx's user. While fixing above issue, this will also cause the configuration to be verified when running `systemctl reload nginx`, not only when restarting the dummy `nginx-config-reload` unit. The latter is mostly a workaround for missing features in our activation script anyways.
2020-08-12 18:09:02 +02:00 · 2020-08-12 18:09:02 +02:00 · 300049ca51
commit 300049ca51
parent e11d511222
1 changed files with 5 additions and 3 deletions
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -704,7 +704,10 @@ in
      '';
      serviceConfig = {
        ExecStart = execCommand;
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        ExecReload = [
+          "${execCommand} -t"
+          "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
+        ];
        Restart = "always";
        RestartSec = "10s";
        StartLimitInterval = "1min";
@ -761,8 +764,7 @@ in
      serviceConfig.TimeoutSec = 60;
      script = ''
        if /run/current-system/systemd/bin/systemctl -q is-active nginx.service ; then
-          ${execCommand} -t && \
-            /run/current-system/systemd/bin/systemctl reload nginx.service
+          /run/current-system/systemd/bin/systemctl reload nginx.service
        fi
      '';
      serviceConfig.RemainAfterExit = true;