blob: 3e524d3b5e65618f3046c8db0d4d8fbc7a68a1a5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
{ config, pkgs, ... }: let {
lib = import ../../lib;
body.options.krebs.systemd.services = lib.mkOption {
default = {};
type = lib.types.attrsOf (lib.types.submodule (cfg_: let
serviceName = cfg_.config._module.args.name;
cfg = config.systemd.services.${serviceName} // cfg_.config;
in {
options = {
credentialPaths = lib.mkOption {
default =
lib.sort
lib.lessThan
(lib.filter
lib.types.absolute-pathname.check
(map
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
(lib.toList cfg.serviceConfig.LoadCredential)));
readOnly = true;
};
credentialUnitName = lib.mkOption {
default = "trigger-${lib.systemd.encodeName serviceName}";
readOnly = true;
};
restartIfCredentialsChange = lib.mkOption {
default = false;
description = ''
Whether to restart the service whenever any of its credentials
change. Only credentials with an absolute path in LoadCredential=
are supported.
'';
type = lib.types.bool;
};
};
}));
};
body.config.systemd = lib.mkMerge (lib.mapAttrsToList (serviceName: cfg: {
paths.${cfg.credentialUnitName} = {
wantedBy = [ "multi-user.target" ];
pathConfig.PathChanged = cfg.credentialPaths;
};
services.${cfg.credentialUnitName} = {
serviceConfig = {
Type = "oneshot";
StateDirectory = "credentials";
ExecStart = pkgs.writeDash "${cfg.credentialUnitName}.sh" ''
set -efu
PATH=${lib.makeBinPath [
pkgs.coreutils
pkgs.diffutils
pkgs.systemd
]}
cache=/var/lib/credentials/${lib.shell.escape serviceName}.sha1sum
tmpfile=$(mktemp -t "$(basename "$cache")".XXXXXXXX)
trap 'rm -f "$tmpfile"' EXIT
sha1sum ${toString cfg.credentialPaths} > "$tmpfile"
if test -f "$cache" && cmp -s "$tmpfile" "$cache"; then
exit
fi
mv "$tmpfile" "$cache"
systemctl restart ${lib.shell.escape serviceName}
'';
};
};
}) config.krebs.systemd.services);
}
|