diff options
| author | tv <tv@krebsco.de> | 2021-12-23 20:09:06 +0100 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2021-12-23 20:18:28 +0100 |
| commit | 1cf495d6eb113541dfa1667f03f7edd10c2217b1 (patch) | |
| tree | 8ed3026e1ab4705c5758a354e032ebfb0bf621df /krebs | |
| parent | 5f7ab23ebf220194dc9ef28dd164f042ee2804c4 (diff) | |
krebs.systemd: support credentials of any service
Diffstat (limited to 'krebs')
| -rw-r--r-- | krebs/3modules/systemd.nix | 33 | ||||
| -rw-r--r-- | krebs/3modules/tinc.nix | 15 |
2 files changed, 27 insertions, 21 deletions
diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix index c30b2264..00538d5f 100644 --- a/krebs/3modules/systemd.nix +++ b/krebs/3modules/systemd.nix @@ -1,36 +1,39 @@ -{ config, options, pkgs, ... }: let { +{ config, pkgs, ... }: let { lib = import ../../lib; body.options.krebs.systemd.services = lib.mkOption { default = {}; - type = lib.types.attrs; - description = '' - Definition of systemd service units with bonus features. - - Services defined using this option will be restarted whenever any file - (described by an absolute path) used in LoadCredential changes. - ''; + type = lib.types.attrsOf (lib.types.submodule { + options = { + serviceConfig.LoadCredential = lib.mkOption { + apply = lib.toList; + type = + lib.types.either lib.types.str (lib.types.listOf lib.types.str); + }; + }; + }); }; body.config.systemd = lib.mkMerge (lib.flatten (lib.mapAttrsToList (serviceName: cfg: let - prefix = [ "krebs" "systemd" "services" serviceName ]; - opts = options.systemd.services.type.getSubOptions prefix; - paths = lib.filter lib.types.absolute-pathname.check (map (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) - (cfg.serviceConfig.LoadCredential or [])); + cfg.serviceConfig.LoadCredential); in lib.singleton { - services.${serviceName} = cfg; + services.${serviceName} = { + serviceConfig = { + LoadCredential = cfg.serviceConfig.LoadCredential; + }; + }; } ++ - lib.optionals (cfg.enable or opts.enable.default) (map (path: let + map (path: let triggerName = "trigger-${lib.systemd.encodeName path}"; in { paths.${triggerName} = { @@ -46,6 +49,6 @@ ]); }; }; - }) paths) + }) paths ) config.krebs.systemd.services)); } diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index f709b334..dca764f6 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -229,6 +229,15 @@ with import <stockholm/lib>; ) config.krebs.tinc; krebs.systemd.services = mapAttrs (netname: cfg: { + serviceConfig.LoadCredential = filter (x: x != "") [ + (optionalString (cfg.privkey_ed25519 != null) + "ed25519_key:${cfg.privkey_ed25519}" + ) + "rsa_key:${cfg.privkey}" + ]; + }) config.krebs.tinc; + + systemd.services = mapAttrs (netname: cfg: { description = "Tinc daemon for ${netname}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; @@ -239,12 +248,6 @@ with import <stockholm/lib>; reloadIfChanged = true; restartTriggers = [ cfg.confDir ]; serviceConfig = { - LoadCredential = filter (x: x != "") [ - (optionalString (cfg.privkey_ed25519 != null) - "ed25519_key:${cfg.privkey_ed25519}" - ) - "rsa_key:${cfg.privkey}" - ]; Restart = "always"; ExecStart = toString [ "${cfg.tincPackage}/sbin/tincd" |