From bcddeda5dfb8049b7ec0db8ef10fc21aed0651ce Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Thu, 12 Feb 2026 00:11:28 +0200
Subject: [PATCH] Make traefik-certs-dumper require the Traefik service to
 avoid race condition

When both services restart simultaneously (e.g. in all-at-once mode),
Traefik may momentarily truncate or reinitialize acme.json, causing
the certs dumper to read an empty file and panic. By adding
Requires/After on the Traefik service, the certs dumper only starts
after Traefik is fully ready and acme.json is stable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 group_vars/matrix_servers | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index a1d25d37a..f63b25809 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -5663,6 +5663,16 @@ traefik_certs_dumper_gid: "{{ matrix_user_gid }}"
 
 traefik_certs_dumper_ssl_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}"
 
+# We make the certs dumper require the Traefik service (not just docker.service),
+# because when both restart simultaneously (e.g. in all-at-once mode), Traefik may
+# momentarily truncate or reinitialize acme.json, causing the certs dumper to read
+# an empty file and panic. By requiring Traefik, the certs dumper only starts after
+# Traefik is fully ready and acme.json is stable.
+traefik_certs_dumper_systemd_required_services_list_auto: |
+  {{
+    ([traefik_identifier + '.service'] if traefik_enabled else [])
+  }}
+
 traefik_certs_dumper_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else traefik_certs_dumper_container_image_registry_prefix_upstream_default }}"
 
 ########################################################################