Two small systemd changes

1. Don't halt the cert renewer service from ExecStartPost ops if a relying service doesn't exist; halt it if the relying service exists and doesn't restart properly.
2. Use /bin/env bash instead of /bin/bash for portability.
This commit is contained in:
Carl Tashian 2021-03-16 17:08:20 -07:00
parent 6861202762
commit 2c09baf696

View file

@ -15,7 +15,7 @@ Environment=STEPPATH=/etc/step-ca \
; ExecStartPre checks if the certificate is ready for renewal,
; based on the exit status of the command.
; (In systemd 243 and above, you can use ExecCondition= here.)
ExecStartPre=/usr/bin/bash -c \
ExecStartPre=/usr/bin/env bash -c \
'step certificate inspect $CERT_LOCATION --format json --roots "$STEPPATH/certs/root_ca.crt" | \
jq -e "(((.validity.start | fromdate) + \
((.validity.end | fromdate) - (.validity.start | fromdate)) * 0.66) \
@ -25,7 +25,8 @@ ExecStartPre=/usr/bin/bash -c \
ExecStart=/usr/bin/step ca renew --force $CERT_LOCATION $KEY_LOCATION
; Try to reload or restart the systemd service that relies on this cert-renewer
ExecStartPost=/usr/bin/bash -c 'systemctl --quiet is-enabled %i && systemctl try-reload-or-restart %i'
; If the relying service doesn't exist, forge ahead.
ExecStartPost=/usr/bin/env bash -c 'if ! systemctl --quiet is-enabled %i.service ; then exit 0; fi; systemctl try-reload-or-restart %i'
[Install]
WantedBy=multi-user.target