From b5b90b598430cfa876639d76dbbdc8d826ccb5c0 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Tue, 4 Aug 2020 20:28:04 +0200
Subject: [PATCH] types.secret-file: add service option
---
krebs/3modules/exim-smarthost.nix | 8 ++++++--
krebs/3modules/konsens.nix | 2 +-
krebs/3modules/repo-sync.nix | 8 +++++++-
krebs/3modules/tinc.nix | 9 +++++++--
lass/2configs/binary-cache/server.nix | 8 ++++++--
lass/2configs/websites/sqlBackup.nix | 8 ++++++--
lass/3modules/ejabberd/default.nix | 11 +++++++++--
lib/types.nix | 4 ++++
makefu/2configs/binary-cache/server.nix | 8 ++++++--
makefu/3modules/netdata.nix | 8 ++++++--
tv/2configs/binary-cache/default.nix | 8 ++++++--
tv/3modules/charybdis/default.nix | 11 +++++++++--
tv/3modules/ejabberd/default.nix | 11 +++++++++--
tv/3modules/x0vncserver.nix | 12 ++++++++++--
14 files changed, 92 insertions(+), 24 deletions(-)
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index e988fb563..2a97f9d6e 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -115,8 +115,12 @@ let
}));
systemd.services = mkIf (cfg.dkim != []) {
exim = {
- after = [ "secret.service" ];
- requires = [ "secret.service" ];
+ after = flip map cfg.dkim (dkim:
+ config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
+ );
+ requires = flip map cfg.dkim (dkim:
+ config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
+ );
};
};
krebs.exim = {
diff --git a/krebs/3modules/konsens.nix b/krebs/3modules/konsens.nix
index 74895a971..81486810b 100644
--- a/krebs/3modules/konsens.nix
+++ b/krebs/3modules/konsens.nix
@@ -56,7 +56,7 @@ let
systemd.services = mapAttrs' (name: repo:
nameValuePair "konsens-${name}" {
- after = [ "network.target" "secret.service" ];
+ after = [ "network.target" ];
path = [ pkgs.git ];
restartIfChanged = false;
serviceConfig = {
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index 45d9d81c3..892f34049 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -166,7 +166,13 @@ let
});
in nameValuePair "repo-sync-${name}" {
description = "repo-sync";
- after = [ "network.target" "secret.service" ];
+ after = [
+ config.krebs.secret.files.repo-sync-key.service
+ "network.target"
+ ];
+ requires = [
+ config.krebs.secret.files.repo-sync-key.service
+ ];
environment = {
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.stateDir}/ssh.priv";
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 8b6e959d4..0be16d8f6 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -219,9 +219,14 @@ let
iproute = cfg.iproutePackage;
in {
description = "Tinc daemon for ${netname}";
- after = [ "network.target" ];
+ after = [
+ config.krebs.secret.files."${netname}.rsa_key.priv".service
+ "network.target"
+ ];
+ requires = [
+ config.krebs.secret.files."${netname}.rsa_key.priv".service
+ ];
wantedBy = [ "multi-user.target" ];
- requires = [ "secret.service" ];
path = [ tinc iproute ];
serviceConfig = rec {
Restart = "always";
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index d3775b5df..fbaf16a3c 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -9,8 +9,12 @@
};
systemd.services.nix-serve = {
- requires = ["secret.service"];
- after = ["secret.service"];
+ after = [
+ config.krebs.secret.files.nix-serve-key.service
+ ];
+ requires = [
+ config.krebs.secret.files.nix-serve-key.service
+ ];
};
krebs.secret.files.nix-serve-key = {
path = "/run/secret/nix-serve.key";
diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix
index 10a6e4643..72d7c7b9a 100644
--- a/lass/2configs/websites/sqlBackup.nix
+++ b/lass/2configs/websites/sqlBackup.nix
@@ -14,8 +14,12 @@
};
systemd.services.mysql = {
- requires = [ "secret.service" ];
- after = [ "secret.service" ];
+ after = [
+ config.krebs.secret.files.mysql_rootPassword.service
+ ];
+ requires = [
+ config.krebs.secret.files.mysql_rootPassword.service
+ ];
};
lass.mysqlBackup = {
diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix
index 4838a9093..9642c64c9 100644
--- a/lass/3modules/ejabberd/default.nix
+++ b/lass/3modules/ejabberd/default.nix
@@ -74,8 +74,15 @@ in {
systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ];
- requires = [ "secret.service" ];
- after = [ "network.target" "secret.service" ];
+ after = [
+ config.krebs.secret.files.ejabberd-certfile.service
+ config.krebs.secret.files.ejabberd-s2s_certfile.service
+ "network.target"
+ ];
+ requires = [
+ config.krebs.secret.files.ejabberd-certfile.service
+ config.krebs.secret.files.ejabberd-s2s_certfile.service
+ ];
serviceConfig = {
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";
diff --git a/lib/types.nix b/lib/types.nix
index 16ccb145e..82e184ba9 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -256,6 +256,10 @@ rec {
type = str;
default = "root";
};
+ service = mkOption {
+ type = filename;
+ default = "secret.service";
+ };
source-path = mkOption {
type = str;
default = toString <secrets> + "/${config.name}";
diff --git a/makefu/2configs/binary-cache/server.nix b/makefu/2configs/binary-cache/server.nix
index c8f68c84d..3fc174a1b 100644
--- a/makefu/2configs/binary-cache/server.nix
+++ b/makefu/2configs/binary-cache/server.nix
@@ -9,8 +9,12 @@
};
systemd.services.nix-serve = {
- requires = ["secret.service"];
- after = ["secret.service"];
+ after = [
+ config.krebs.secret.files.nix-serve-key.service
+ ];
+ requires = [
+ config.krebs.secret.files.nix-serve-key.service
+ ];
};
krebs.secret.files.nix-serve-key = {
path = "/run/secret/nix-serve.key";
diff --git a/makefu/3modules/netdata.nix b/makefu/3modules/netdata.nix
index 3ed33643c..a3c789eb2 100644
--- a/makefu/3modules/netdata.nix
+++ b/makefu/3modules/netdata.nix
@@ -71,8 +71,12 @@ in
};
config = mkIf cfg.enable {
systemd.services.netdata = {
- requires = [ "secret.service" ];
- after = [ "secret.service" ];
+ after = [
+ config.krebs.secret.files.netdata-stream.service
+ ];
+ requires = [
+ config.krebs.secret.files.netdata-stream.service
+ ];
};
krebs.secret.files.netdata-stream = {
path = "/run/secret/netdata-stream.conf";
diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix
index 39c944b1a..970f705f0 100644
--- a/tv/2configs/binary-cache/default.nix
+++ b/tv/2configs/binary-cache/default.nix
@@ -9,8 +9,12 @@
};
systemd.services.nix-serve = {
- requires = ["secret.service"];
- after = ["secret.service"];
+ after = [
+ config.krebs.secret.files.binary-cache-seckey.service
+ ];
+ requires = [
+ config.krebs.secret.files.binary-cache-seckey.service
+ ];
};
krebs.secret.files.binary-cache-seckey = {
diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix
index 62a7037e3..3809da404 100644
--- a/tv/3modules/charybdis/default.nix
+++ b/tv/3modules/charybdis/default.nix
@@ -51,8 +51,15 @@ in {
systemd.services.charybdis = {
wantedBy = [ "multi-user.target" ];
- requires = [ "secret.service" ];
- after = [ "network-online.target" "secret.service" ];
+ after = [
+ config.krebs.secret.files.charybdis-ssl_dh_params.service
+ config.krebs.secret.files.charybdis-ssl_private_key.service
+ "network-online.target"
+ ];
+ requires = [
+ config.krebs.secret.files.charybdis-ssl_dh_params.service
+ config.krebs.secret.files.charybdis-ssl_private_key.service
+ ];
environment = {
BANDB_DBPATH = "${cfg.user.home}/ban.db";
};
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
index f16dfac86..b995c145a 100644
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@@ -95,8 +95,15 @@ in {
systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ];
- requires = [ "secret.service" ];
- after = [ "network.target" "secret.service" ];
+ after = [
+ config.krebs.secret.files.ejabberd-certfile.service
+ config.krebs.secret.files.ejabberd-s2s_certfile.service
+ "network.target"
+ ];
+ requires = [
+ config.krebs.secret.files.ejabberd-certfile.service
+ config.krebs.secret.files.ejabberd-s2s_certfile.service
+ ];
serviceConfig = {
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground";
diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix
index 44fed590d..8b9cfa89d 100644
--- a/tv/3modules/x0vncserver.nix
+++ b/tv/3modules/x0vncserver.nix
@@ -36,8 +36,16 @@ in {
x0vncserver-pwfile = cfg.pwfile;
};
systemd.services.x0vncserver = {
- after = [ "graphical.target" "secret.service" ];
- requires = [ "graphical.target" "secret.service" ];
+ after = [
+ config.krebs.secret.files.x0vncserver-pwfile.service
+ "graphical.target"
+ ];
+ partOf = [
+ config.krebs.secret.files.x0vncserver-pwfile.service
+ ];
+ requires = [
+ "graphical.target"
+ ];
serviceConfig = {
ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [
"-display ${cfg.display}"