From 72d63d37eb652bffbda65de8e894f2799ad90bab Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Wed, 29 Dec 2021 12:25:41 -0500 Subject: [PATCH] add age.secrets.*.{action,service} represents an action to perform or systemd service to restart when the secret changes --- modules/age.nix | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/modules/age.nix b/modules/age.nix index f20b080..f9a8e9b 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -90,6 +90,17 @@ let Group of the decrypted secret. ''; }; + action = mkOption { + type = types.str; + default = ""; + description = "A script to run when secret is updated."; + }; + service = mkOption { + type = types.str; + default = ""; + description = "The systemd service that uses this secret. Will be restarted when the secret changes."; + example = "wireguard-wg0"; + }; symlink = mkEnableOption "symlinking secrets to their destination" // { default = true; }; }; }); @@ -201,6 +212,41 @@ in "agenixChownKeys" ]; }; + + # services that watch for file changes and exectue the configured action + systemd.services = lib.mkMerge + (lib.mapAttrsToList + (name: {action, service, file, path, mode, owner, group, ...}: + let + fileHash = builtins.hashString "sha256" (builtins.readFile file); + restartTriggers = [ fileHash path mode owner group ]; + in + lib.mkMerge [ + (lib.mkIf (service != "") { + ${service} = { inherit restartTriggers; }; + }) + (lib.mkIf (action != "") { + "agenix-${name}-action" = { + inherit restartTriggers; + + # We execute the action on reload so that it doesn't happen at + # startup. The only disadvantage is that it won't trigger the + # first time the service is created. + reload = action; + reloadIfChanged = true; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = " "; # it complains if we only set ExecReload + + # Give it a reason for starting + wantedBy = [ "multi-user.target" ]; + }; + + })]) cfg.secrets); }; }