diff options
Diffstat (limited to 'krebs/3modules')
-rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/exim-smarthost.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/iptables.nix | 8 | ||||
-rw-r--r-- | krebs/3modules/repo-sync.nix | 4 | ||||
-rw-r--r-- | krebs/3modules/systemd.nix | 82 | ||||
-rw-r--r-- | krebs/3modules/tinc.nix | 1 |
6 files changed, 60 insertions, 38 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 6babac72e..bff7e135f 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -7,6 +7,7 @@ let out = { imports = [ ../../kartei + ../../submodules/disko/module.nix ./acl.nix ./airdcpp.nix ./announce-activation.nix diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 7c176d224..b3cf212e4 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -108,7 +108,7 @@ let }; imp = { - krebs.systemd.services.exim = {}; + krebs.systemd.services.exim.restartIfCredentialsChange = true; systemd.services.exim.serviceConfig.LoadCredential = map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim; krebs.exim = { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 7007090c0..052dad9c6 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -43,10 +43,6 @@ let target = mkOption { type = str; }; - precedence = mkOption { - type = int; - default = 0; - }; v4 = mkOption { type = bool; default = true; @@ -145,13 +141,11 @@ let buildChain = tn: cn: let filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules; - sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules; - in #TODO: double check should be unneccessary, refactor! if ts.${tn}.${cn}.rules or null != null then concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) sortedRules + ++ map (buildRule tn cn) filteredRules ) else "" diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index c4cfb9a49..5b8a53be8 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -159,7 +159,9 @@ let ) cfg.repos; krebs.systemd.services = mapAttrs' (name: _: - nameValuePair "repo-sync-${name}" {} + nameValuePair "repo-sync-${name}" { + restartIfCredentialsChange = true; + } ) cfg.repos; systemd.services = mapAttrs' (name: repo: diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix index 194e8b24a..3e524d3b5 100644 --- a/krebs/3modules/systemd.nix +++ b/krebs/3modules/systemd.nix @@ -3,14 +3,28 @@ body.options.krebs.systemd.services = lib.mkOption { default = {}; - type = lib.types.attrsOf (lib.types.submodule { + type = lib.types.attrsOf (lib.types.submodule (cfg_: let + serviceName = cfg_.config._module.args.name; + cfg = config.systemd.services.${serviceName} // cfg_.config; + in { options = { + credentialPaths = lib.mkOption { + default = + lib.sort + lib.lessThan + (lib.filter + lib.types.absolute-pathname.check + (map + (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) + (lib.toList cfg.serviceConfig.LoadCredential))); + readOnly = true; + }; + credentialUnitName = lib.mkOption { + default = "trigger-${lib.systemd.encodeName serviceName}"; + readOnly = true; + }; restartIfCredentialsChange = lib.mkOption { - # Enabling this by default only makes sense here as the user already - # bothered to write down krebs.systemd.services.* = {}. If this - # functionality gets upstreamed to systemd.services, restarting - # should be disabled by default. - default = true; + default = false; description = '' Whether to restart the service whenever any of its credentials change. Only credentials with an absolute path in LoadCredential= @@ -19,30 +33,40 @@ type = lib.types.bool; }; }; - }); + })); }; - body.config = { - systemd.paths = lib.mapAttrs' (serviceName: _: - lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" { - wantedBy = [ "multi-user.target" ]; - pathConfig.PathChanged = - lib.filter - lib.types.absolute-pathname.check - (map - (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) - (lib.toList - config.systemd.services.${serviceName}.serviceConfig.LoadCredential)); - } - ) config.krebs.systemd.services; + body.config.systemd = lib.mkMerge (lib.mapAttrsToList (serviceName: cfg: { + paths.${cfg.credentialUnitName} = { + wantedBy = [ "multi-user.target" ]; + pathConfig.PathChanged = cfg.credentialPaths; + }; + services.${cfg.credentialUnitName} = { + serviceConfig = { + Type = "oneshot"; + StateDirectory = "credentials"; + ExecStart = pkgs.writeDash "${cfg.credentialUnitName}.sh" '' + set -efu - systemd.services = lib.mapAttrs' (serviceName: cfg: - lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" { - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}"; - }; - } - ) config.krebs.systemd.services; - }; + PATH=${lib.makeBinPath [ + pkgs.coreutils + pkgs.diffutils + pkgs.systemd + ]} + + cache=/var/lib/credentials/${lib.shell.escape serviceName}.sha1sum + tmpfile=$(mktemp -t "$(basename "$cache")".XXXXXXXX) + trap 'rm -f "$tmpfile"' EXIT + + sha1sum ${toString cfg.credentialPaths} > "$tmpfile" + if test -f "$cache" && cmp -s "$tmpfile" "$cache"; then + exit + fi + mv "$tmpfile" "$cache" + + systemctl restart ${lib.shell.escape serviceName} + ''; + }; + }; + }) config.krebs.systemd.services); } diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index c33b30f0d..0babc448a 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -232,6 +232,7 @@ with import <stockholm/lib>; ) config.krebs.tinc; krebs.systemd.services = mapAttrs (netname: cfg: { + restartIfCredentialsChange = true; }) config.krebs.tinc; systemd.services = mapAttrs (netname: cfg: { |