Fix issue in ISRG script that is not idempotent

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index b97d0bc1dd3c3492a6c90b5dd42aac5b80f73ac9..9879946d07b0da37ce600d506a09f78ac382bd4e 100644 (file)
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -147,8 +147,12 @@
                   sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
                 };
                 fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" ''
-                  cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \
-                    sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" chain.pem fullchain.pem full.pem
+                  for file in chain fullchain full; do
+                    if grep -q MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA "$file.pem"; then
+                      cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \
+                      sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" $file.pem
+                    fi
+                  done
                 '';
                 script = pkgs.writeScript "acme-post-start" ''
                   #!${pkgs.runtimeShell} -e
@@ -169,9 +173,9 @@
                     echo -n "${hashOptions}" > ${spath}/currentDomains
                   fi
 
+                  ${fix_ISRG_Root_X1}
                   chmod ${fileMode} *.pem
                   chown '${data.user}:${data.group}' *.pem
-                  ${fix_ISRG_Root_X1}
 
                   if [ "$KEY_CHANGED" = "yes" ]; then
                     : # noop in case postRun is empty