afws: move more code into module file, use new reload mechanism

nixbld-etc-nixos/afws-module.nix

@@ -20,10 +20,20 @@ in
         User = "afws";
         Group = "afws";
         ExecStart = "${afws}/bin/afws_server";
+        ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
       };
       path = [ pkgs.nix pkgs.git ];
     };
 
+    security.acme.certs."afws.m-labs.hk".postRun =
+      ''
+      mkdir -p /var/lib/afws/cert
+      cp cert.pem /var/lib/afws/cert
+      cp key.pem /var/lib/afws/cert
+      chown -R afws:afws /var/lib/afws/cert
+      '';
+    security.acme.certs."afws.m-labs.hk".reloadServices = [ "afws.service" ];
+
     users.users.afws = {
       name = "afws";
       group = "afws";

nixbld-etc-nixos/configuration.nix

@@ -529,26 +529,6 @@ in
     };
   };
   services.afws.enable = true;
-  security.acme.certs."afws.m-labs.hk".postRun =
-    ''
-    # ensure initial state
-    mkdir -p /var/lib/afws/cert-new /var/lib/afws/cert-current
-    ln -sf /var/lib/afws/cert-current /var/lib/afws/cert
-
-    # populate new directory
-    cp cert.pem /var/lib/afws/cert-new
-    cp key.pem /var/lib/afws/cert-new
-    chown afws:afws /var/lib/afws/cert-new/*
-
-    # atomic replace
-    ln -s /var/lib/afws/cert-new /var/lib/afws/tmp
-    mv -T /var/lib/afws/tmp /var/lib/afws/cert
-    rm -rf /var/lib/afws/cert-current
-    cp -a /var/lib/afws/cert-new /var/lib/afws/cert-current
-    ln -s /var/lib/afws/cert-current /var/lib/afws/tmp
-    mv -T /var/lib/afws/tmp /var/lib/afws/cert
-    rm -rf /var/lib/afws/cert-new
-    '';
 
   nix.extraOptions = ''
     secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1