From 10ce0b3149561d4b84afaf83f78c6d459189a911 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 26 Mar 2022 17:21:38 +0100
Subject: ...

---
 modules/certspotter.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/certspotter.nix b/modules/certspotter.nix
index 4dee0d37..aae6a313 100644
--- a/modules/certspotter.nix
+++ b/modules/certspotter.nix
@@ -19,6 +19,15 @@ let
                  ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList))
                      "-script" "${script}/bin/certspotter-script"
                     ];
+
+  startScript = pkgs.writeShellApplication {
+    name = "certspotter-start";
+    runtimeInputs = [ pkgs.coreutils cfg.package ];
+    text = ''
+      rm -f "''${STATE_DIRECTORY}/lock"
+      certspotter -state_dir "''${STATE_DIRECTORY}" ${escapeShellArgs startOptions}
+    '';
+  };
 in {
   options = {
     services.certspotter = {
@@ -45,8 +54,7 @@ in {
     systemd.services.certspotter = {
       serviceConfig = {
         Type = "oneshot";
-        ExecStartPre = "${pkgs.coreutils}/bin/rm -f $STATE_DIRECTORY/lock";
-        ExecStart = "${cfg.package}/bin/certspotter -state_dir $STATE_DIRECTORY ${escapeShellArgs startOptions}";
+        ExecStart = "${startScript}/bin/certspotter-start";
         StateDirectory = "certspotter";
         LogsDirectory = "certspotter";
         DynamicUser = true;
-- 
cgit v1.2.3