From cf07c71418a18c97ddac78af1d2f733a754bba37 Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Tue, 6 Jan 2026 15:06:31 +0100
Subject: [PATCH] module: restart worker when cert is changed

Closes #12

The worker gets access to the ACME-managed certs via `LoadCredential`,
however that doesn't refresh files when the files in the credential
source change. Explicitly restart the worker to make sure these changes
are reflected in what the worker sees.
---
 module.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/module.nix b/module.nix
index 94e4621..25e0391 100644
--- a/module.nix
+++ b/module.nix
@@ -300,6 +300,16 @@ in
         );
       in
       {
+        assertions = [
+          {
+            assertion = cfg.nginx.enableACME -> cfg.nginx.enable;
+            message = ''
+              Cannot enable `services.authentik.nginx.enableACME` when
+              `services.authentik.nginx.enable` is `false`.
+            '';
+          }
+        ];
+
         services = {
           authentik.settings = {
             blueprints_dir = mkDefault "${cfg.authentikComponents.staticWorkdirDeps}/blueprints";
@@ -441,6 +451,12 @@ in
           };
         };
 
+        security.acme.certs = mkIf cfg.nginx.enableACME {
+          ${cfg.nginx.host}.postRun = ''
+            systemctl restart authentik-worker.service
+          '';
+        };
+
         services.nginx = mkIf cfg.nginx.enable {
           enable = true;
           recommendedTlsSettings = true;