2023-06-10 12:50:53 +02:00
|
|
|
{ config, pkgs, lib, ... }: let {
|
|
|
|
|
|
|
|
slib = import ../../lib/pure.nix { inherit lib; };
|
2021-12-23 01:10:22 +01:00
|
|
|
|
|
|
|
body.options.krebs.systemd.services = lib.mkOption {
|
|
|
|
default = {};
|
2022-12-29 15:22:29 +01:00
|
|
|
type = lib.types.attrsOf (lib.types.submodule (cfg_: let
|
|
|
|
serviceName = cfg_.config._module.args.name;
|
|
|
|
cfg = config.systemd.services.${serviceName} // cfg_.config;
|
|
|
|
in {
|
2021-12-23 20:09:06 +01:00
|
|
|
options = {
|
2022-12-29 15:22:29 +01:00
|
|
|
credentialPaths = lib.mkOption {
|
|
|
|
default =
|
|
|
|
lib.sort
|
|
|
|
lib.lessThan
|
|
|
|
(lib.filter
|
2023-06-10 12:50:53 +02:00
|
|
|
slib.types.absolute-pathname.check
|
2022-12-29 15:22:29 +01:00
|
|
|
(map
|
2023-06-10 12:50:53 +02:00
|
|
|
(slib.compose [ slib.maybeHead (builtins.match "[^:]*:(.*)") ])
|
2022-12-29 15:22:29 +01:00
|
|
|
(lib.toList cfg.serviceConfig.LoadCredential)));
|
|
|
|
readOnly = true;
|
|
|
|
};
|
|
|
|
credentialUnitName = lib.mkOption {
|
2023-06-10 12:50:53 +02:00
|
|
|
default = "trigger-${slib.systemd.encodeName serviceName}";
|
2022-12-29 15:22:29 +01:00
|
|
|
readOnly = true;
|
|
|
|
};
|
2021-12-29 16:52:23 +01:00
|
|
|
restartIfCredentialsChange = lib.mkOption {
|
2022-12-29 13:44:45 +01:00
|
|
|
default = false;
|
2021-12-23 20:16:34 +01:00
|
|
|
description = ''
|
2021-12-29 16:52:23 +01:00
|
|
|
Whether to restart the service whenever any of its credentials
|
|
|
|
change. Only credentials with an absolute path in LoadCredential=
|
|
|
|
are supported.
|
2021-12-23 20:16:34 +01:00
|
|
|
'';
|
2021-12-29 16:52:23 +01:00
|
|
|
type = lib.types.bool;
|
2021-12-23 20:16:34 +01:00
|
|
|
};
|
2021-12-23 20:09:06 +01:00
|
|
|
};
|
2022-12-29 15:22:29 +01:00
|
|
|
}));
|
2021-12-23 01:10:22 +01:00
|
|
|
};
|
|
|
|
|
2022-12-29 15:22:29 +01:00
|
|
|
body.config.systemd = lib.mkMerge (lib.mapAttrsToList (serviceName: cfg: {
|
|
|
|
paths.${cfg.credentialUnitName} = {
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
pathConfig.PathChanged = cfg.credentialPaths;
|
|
|
|
};
|
|
|
|
services.${cfg.credentialUnitName} = {
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
StateDirectory = "credentials";
|
|
|
|
ExecStart = pkgs.writeDash "${cfg.credentialUnitName}.sh" ''
|
|
|
|
set -efu
|
2021-12-23 23:42:59 +01:00
|
|
|
|
2022-12-29 15:22:29 +01:00
|
|
|
PATH=${lib.makeBinPath [
|
|
|
|
pkgs.coreutils
|
|
|
|
pkgs.diffutils
|
|
|
|
pkgs.systemd
|
|
|
|
]}
|
|
|
|
|
2023-06-10 12:50:53 +02:00
|
|
|
cache=/var/lib/credentials/${slib.shell.escape serviceName}.sha1sum
|
2022-12-29 15:22:29 +01:00
|
|
|
tmpfile=$(mktemp -t "$(basename "$cache")".XXXXXXXX)
|
|
|
|
trap 'rm -f "$tmpfile"' EXIT
|
|
|
|
|
|
|
|
sha1sum ${toString cfg.credentialPaths} > "$tmpfile"
|
|
|
|
if test -f "$cache" && cmp -s "$tmpfile" "$cache"; then
|
|
|
|
exit
|
|
|
|
fi
|
|
|
|
mv "$tmpfile" "$cache"
|
|
|
|
|
2023-06-10 12:50:53 +02:00
|
|
|
systemctl restart ${slib.shell.escape serviceName}
|
2022-12-29 15:22:29 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}) config.krebs.systemd.services);
|
2021-12-23 01:10:22 +01:00
|
|
|
}
|