nixos/treewide: drop dependencies to keys.target

The `keys.target` is used to indicate whether all NixOps keys were successfully uploaded on an unattended reboot. However this can cause startup issues e.g. with NixOS containers (see #67265) and can block boots even though this might not be needed (e.g. with a dovecot2 instance running that doesn't need any of the NixOps keys). As described in the NixOps manual[1], dependencies to keys should be defined like this now: ``` nix { systemd.services.myservice = { after = [ "secret-key.service" ]; wants = [ "secret-key.service" ]; }; } ``` However I'd leave the issue open until it's discussed whether or not to keep `keys.target` in `nixpkgs`. [1] https://nixos.org/nixops/manual/#idm140737322342384
2025-07-13 21:50:33 +03:00 · 2019-08-24 16:52:17 +02:00 · 2019-08-24 16:52:17 +02:00 · 56a7bc05e1
commit 56a7bc05e1
parent c09bc3e7e2
7 changed files with 26 additions and 13 deletions
--- a/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixos/doc/manual/release-notes/rl-1909.xml
@ -291,6 +291,26 @@
       configuration while being better type-checked and mergeable.
     </para>
   </listitem>
   <listitem>
    <para>
     No service depends on <literal>keys.target</literal> anymore which is a systemd
     target that indicates if all <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps keys</link> were successfully uploaded.
     Instead, <literal>&lt;key-name&gt;-key.service</literal> should be used to define
     a dependency of a key in a service. The full issue behind the <literal>keys.target</literal>
     dependency is described at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
    </para>
    <para>
     The following services are affected by this:
     <itemizedlist>
      <listitem><para><link linkend="opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link></para></listitem>
      <listitem><para><link linkend="opt-services.nsd.enable"><literal>services.nsd</literal></link></para></listitem>
      <listitem><para><link linkend="opt-services.softether.enable"><literal>services.softether</literal></link></para></listitem>
      <listitem><para><link linkend="opt-services.strongswan.enable"><literal>services.strongswan</literal></link></para></listitem>
      <listitem><para><link linkend="opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link></para></listitem>
      <listitem><para><link linkend="opt-services.httpd.enable"><literal>services.httpd</literal></link></para></listitem>
     </itemizedlist>
    </para>
   </listitem>
  </itemizedlist>
 </section>
--- a/nixos/modules/services/mail/dovecot.nix
+++ b/nixos/modules/services/mail/dovecot.nix
@ -344,8 +344,7 @@ in
    systemd.services.dovecot2 = {
      description = "Dovecot IMAP/POP3 server";
-      after = [ "keys.target" "network.target" ];
+      after = [ "network.target" ];
      wants = [ "keys.target" ];
      wantedBy = [ "multi-user.target" ];
      restartTriggers = [ cfg.configFile ];
--- a/nixos/modules/services/networking/nsd.nix
+++ b/nixos/modules/services/networking/nsd.nix
@ -916,9 +916,8 @@ in
    systemd.services.nsd = {
      description = "NSD authoritative only domain name service";
-      after = [ "keys.target" "network.target" ];
+      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      wants = [ "keys.target" ];
      serviceConfig = {
        ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";
--- a/nixos/modules/services/networking/softether.nix
+++ b/nixos/modules/services/networking/softether.nix
@ -70,8 +70,6 @@ in
      systemd.services."softether-init" = {
        description = "SoftEther VPN services initial task";
        after = [ "keys.target" ];
        wants = [ "keys.target" ];
        wantedBy = [ "network.target" ];
        serviceConfig = {
          Type = "oneshot";
--- a/nixos/modules/services/networking/strongswan-swanctl/module.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix
@ -62,9 +62,8 @@ in  {
    systemd.services.strongswan-swanctl = {
      description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl";
      wantedBy = [ "multi-user.target" ];
-      after    = [ "network-online.target" "keys.target" ];
+      after    = [ "network-online.target" ];
-      wants    = [ "keys.target" ];
+      path     = with pkgs; [ kmod iproute iptables utillinux ];
      path = with pkgs; [ kmod iproute iptables utillinux ];
      environment = {
        STRONGSWAN_CONF = pkgs.writeTextFile {
          name = "strongswan.conf";
--- a/nixos/modules/services/networking/strongswan.nix
+++ b/nixos/modules/services/networking/strongswan.nix
@ -151,8 +151,7 @@ in
      description = "strongSwan IPSec Service";
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux
-      wants = [ "keys.target" ];
+      after = [ "network-online.target" ];
      after = [ "network-online.target" "keys.target" ];
      environment = {
        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
      };
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@ -670,8 +670,7 @@ in
      { description = "Apache HTTPD";
        wantedBy = [ "multi-user.target" ];
-        wants = [ "keys.target" ];
+        after = [ "network.target" "fs.target" ];
        after = [ "network.target" "fs.target" "keys.target" ];
        path =
          [ httpd pkgs.coreutils pkgs.gnugrep ]