Make Apache wait for ‘charon send-keys’

(This is a no-op on non-Charon deployments since the ‘keys.target’
unit won't have any dependencies.)

modules/services/web-servers/apache-httpd/default.nix

@@ -580,11 +580,12 @@ in
         date.timezone = "${config.time.timeZone}"
       '';
 
-    jobs.httpd =
+    boot.systemd.services.httpd =
       { description = "Apache HTTPD";
 
         wantedBy = [ "multi-user.target" ];
-        after = [ "network.target" "fs.target" "postgresql.service" ];
+        requires = [ "keys.target" ];
+        after = [ "network.target" "fs.target" "postgresql.service" "keys.target" ];
 
         path =
           [ httpd pkgs.coreutils pkgs.gnugrep ]
@@ -596,9 +597,7 @@ in
 
         environment =
           { PHPRC = if enablePHP then phpIni else "";
-
             TZ = config.time.timeZone;
-
           } // (listToAttrs (concatMap (svc: svc.globalEnvVars) allSubservices));
 
         preStart =
@@ -628,12 +627,9 @@ in
             done
           '';
 
-        exec = "httpd -f ${httpdConf} -DNO_DETACH";
-
-        preStop =
-          ''
-            ${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop
-          '';
+        serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf} -DNO_DETACH";
+        serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop";
+        serviceConfig.Restart = "always";
       };
 
   };

modules/system/boot/systemd.nix

@@ -442,6 +442,11 @@ in
         }
       ];
 
+    # Target for ‘charon send-keys’ to hook into.
+    boot.systemd.targets.keys =
+      { description = "Security Keys";
+      };
+
     boot.systemd.units =
       { "rescue.service".text = rescueService; }
       // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit n v)) cfg.targets