mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-25 11:08:30 +03:00
Code Issues Projects Releases Packages Wiki Activity

add age.secrets.*.{action,service}

Browse source 
represents an action to perform or systemd service to restart when the
secret changes
This commit is contained in:
Taeer Bar-Yam 2021-12-29 12:25:41 -05:00
parent 08b9c96878
commit 72d63d37eb
1 changed files with 46 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
modules/age.nix
View file

@ -90,6 +90,17 @@ let
Group of the decrypted secret.
'';
};
action = mkOption {
type = types.str;
default = "";
description = "A script to run when secret is updated.";
};
service = mkOption {
type = types.str;
default = "";
description = "The systemd service that uses this secret. Will be restarted when the secret changes.";
example = "wireguard-wg0";
};
symlink = mkEnableOption "symlinking secrets to their destination" // { default = true; };
};
});
@ -201,6 +212,41 @@ in
"agenixChownKeys"
];
};
# services that watch for file changes and exectue the configured action
systemd.services = lib.mkMerge
(lib.mapAttrsToList
(name: {action, service, file, path, mode, owner, group, ...}:
let
fileHash = builtins.hashString "sha256" (builtins.readFile file);
restartTriggers = [ fileHash path mode owner group ];
in
lib.mkMerge [
(lib.mkIf (service != "") {
${service} = { inherit restartTriggers; };
})
(lib.mkIf (action != "") {
"agenix-${name}-action" = {
inherit restartTriggers;
# We execute the action on reload so that it doesn't happen at
# startup. The only disadvantage is that it won't trigger the
# first time the service is created.
reload = action;
reloadIfChanged = true;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = " "; # it complains if we only set ExecReload
# Give it a reason for starting
wantedBy = [ "multi-user.target" ];
};
})]) cfg.secrets);
};
}