From b3c5492b696e02468604fbe00abdc36cb02eb22b Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 29 Dec 2022 13:44:45 +0100 Subject: krebs.systemd.restartIfCredentialsChange: default = false --- krebs/3modules/exim-smarthost.nix | 2 +- krebs/3modules/repo-sync.nix | 4 +++- krebs/3modules/systemd.nix | 6 +----- krebs/3modules/tinc.nix | 1 + 4 files changed, 6 insertions(+), 7 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 7c176d224..b3cf212e4 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -108,7 +108,7 @@ let }; imp = { - krebs.systemd.services.exim = {}; + krebs.systemd.services.exim.restartIfCredentialsChange = true; systemd.services.exim.serviceConfig.LoadCredential = map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim; krebs.exim = { diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index c4cfb9a49..5b8a53be8 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -159,7 +159,9 @@ let ) cfg.repos; krebs.systemd.services = mapAttrs' (name: _: - nameValuePair "repo-sync-${name}" {} + nameValuePair "repo-sync-${name}" { + restartIfCredentialsChange = true; + } ) cfg.repos; systemd.services = mapAttrs' (name: repo: diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix index 194e8b24a..61bfcf639 100644 --- a/krebs/3modules/systemd.nix +++ b/krebs/3modules/systemd.nix @@ -6,11 +6,7 @@ type = lib.types.attrsOf (lib.types.submodule { options = { restartIfCredentialsChange = lib.mkOption { - # Enabling this by default only makes sense here as the user already - # bothered to write down krebs.systemd.services.* = {}. If this - # functionality gets upstreamed to systemd.services, restarting - # should be disabled by default. - default = true; + default = false; description = '' Whether to restart the service whenever any of its credentials change. Only credentials with an absolute path in LoadCredential= diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index c33b30f0d..0babc448a 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -232,6 +232,7 @@ with import ; ) config.krebs.tinc; krebs.systemd.services = mapAttrs (netname: cfg: { + restartIfCredentialsChange = true; }) config.krebs.tinc; systemd.services = mapAttrs (netname: cfg: { -- cgit v1.2.3 From 4354fea0b426577cf33af15d0daff81511d1f6da Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 29 Dec 2022 15:22:29 +0100 Subject: krebs.systemd.restartIfCredentialsChange: check hashes --- krebs/3modules/systemd.nix | 76 +++++++++++++++++++++++++++++++--------------- 1 file changed, 52 insertions(+), 24 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix index 61bfcf639..3e524d3b5 100644 --- a/krebs/3modules/systemd.nix +++ b/krebs/3modules/systemd.nix @@ -3,8 +3,26 @@ body.options.krebs.systemd.services = lib.mkOption { default = {}; - type = lib.types.attrsOf (lib.types.submodule { + type = lib.types.attrsOf (lib.types.submodule (cfg_: let + serviceName = cfg_.config._module.args.name; + cfg = config.systemd.services.${serviceName} // cfg_.config; + in { options = { + credentialPaths = lib.mkOption { + default = + lib.sort + lib.lessThan + (lib.filter + lib.types.absolute-pathname.check + (map + (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) + (lib.toList cfg.serviceConfig.LoadCredential))); + readOnly = true; + }; + credentialUnitName = lib.mkOption { + default = "trigger-${lib.systemd.encodeName serviceName}"; + readOnly = true; + }; restartIfCredentialsChange = lib.mkOption { default = false; description = '' @@ -15,30 +33,40 @@ type = lib.types.bool; }; }; - }); + })); }; - body.config = { - systemd.paths = lib.mapAttrs' (serviceName: _: - lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" { - wantedBy = [ "multi-user.target" ]; - pathConfig.PathChanged = - lib.filter - lib.types.absolute-pathname.check - (map - (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) - (lib.toList - config.systemd.services.${serviceName}.serviceConfig.LoadCredential)); - } - ) config.krebs.systemd.services; + body.config.systemd = lib.mkMerge (lib.mapAttrsToList (serviceName: cfg: { + paths.${cfg.credentialUnitName} = { + wantedBy = [ "multi-user.target" ]; + pathConfig.PathChanged = cfg.credentialPaths; + }; + services.${cfg.credentialUnitName} = { + serviceConfig = { + Type = "oneshot"; + StateDirectory = "credentials"; + ExecStart = pkgs.writeDash "${cfg.credentialUnitName}.sh" '' + set -efu - systemd.services = lib.mapAttrs' (serviceName: cfg: - lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" { - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}"; - }; - } - ) config.krebs.systemd.services; - }; + PATH=${lib.makeBinPath [ + pkgs.coreutils + pkgs.diffutils + pkgs.systemd + ]} + + cache=/var/lib/credentials/${lib.shell.escape serviceName}.sha1sum + tmpfile=$(mktemp -t "$(basename "$cache")".XXXXXXXX) + trap 'rm -f "$tmpfile"' EXIT + + sha1sum ${toString cfg.credentialPaths} > "$tmpfile" + if test -f "$cache" && cmp -s "$tmpfile" "$cache"; then + exit + fi + mv "$tmpfile" "$cache" + + systemctl restart ${lib.shell.escape serviceName} + ''; + }; + }; + }) config.krebs.systemd.services); } -- cgit v1.2.3 [cgit] Unable to lock slot /tmp/cgit/9c000000.lock: No such file or directory (2)