Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

krebs.systemd: support credentials of any service

Browse Source
This commit is contained in:
tv 2021-12-23 20:09:06 +01:00
parent 5f7ab23ebf
commit 1cf495d6eb
2 changed files with 27 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
krebs/3modules/systemd.nix
View File

@ -1,36 +1,39 @@
{ config, options, pkgs, ... }: let { { config, pkgs, ... }: let {
lib = import ../../lib; lib = import ../../lib;
body.options.krebs.systemd.services = lib.mkOption { body.options.krebs.systemd.services = lib.mkOption {
default = {}; default = {};
type = lib.types.attrs; type = lib.types.attrsOf (lib.types.submodule {
description = '' options = {
Definition of systemd service units with bonus features. serviceConfig.LoadCredential = lib.mkOption {
apply = lib.toList;
Services defined using this option will be restarted whenever any file type =
(described by an absolute path) used in LoadCredential changes. lib.types.either lib.types.str (lib.types.listOf lib.types.str);
''; };
};
});
}; };
body.config.systemd = body.config.systemd =
lib.mkMerge lib.mkMerge
(lib.flatten (lib.flatten
(lib.mapAttrsToList (serviceName: cfg: let (lib.mapAttrsToList (serviceName: cfg: let
prefix = [ "krebs" "systemd" "services" serviceName ];
opts = options.systemd.services.type.getSubOptions prefix;
paths = paths =
lib.filter lib.filter
lib.types.absolute-pathname.check lib.types.absolute-pathname.check
(map (map
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
(cfg.serviceConfig.LoadCredential or [])); cfg.serviceConfig.LoadCredential);
in in
lib.singleton { lib.singleton {
services.${serviceName} = cfg; services.${serviceName} = {
serviceConfig = {
LoadCredential = cfg.serviceConfig.LoadCredential;
};
};
} }
++ ++
lib.optionals (cfg.enable or opts.enable.default) (map (path: let map (path: let
triggerName = "trigger-${lib.systemd.encodeName path}"; triggerName = "trigger-${lib.systemd.encodeName path}";
in { in {
paths.${triggerName} = { paths.${triggerName} = {
@ -46,6 +49,6 @@
]); ]);
}; };
}; };
}) paths) }) paths
) config.krebs.systemd.services)); ) config.krebs.systemd.services));
} }

15
krebs/3modules/tinc.nix
View File

@ -229,6 +229,15 @@ with import <stockholm/lib>;
) config.krebs.tinc; ) config.krebs.tinc;
krebs.systemd.services = mapAttrs (netname: cfg: { krebs.systemd.services = mapAttrs (netname: cfg: {
serviceConfig.LoadCredential = filter (x: x != "") [
(optionalString (cfg.privkey_ed25519 != null)
"ed25519_key:${cfg.privkey_ed25519}"
)
"rsa_key:${cfg.privkey}"
];
}) config.krebs.tinc;
systemd.services = mapAttrs (netname: cfg: {
description = "Tinc daemon for ${netname}"; description = "Tinc daemon for ${netname}";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -239,12 +248,6 @@ with import <stockholm/lib>;
reloadIfChanged = true; reloadIfChanged = true;
restartTriggers = [ cfg.confDir ]; restartTriggers = [ cfg.confDir ];
serviceConfig = { serviceConfig = {
LoadCredential = filter (x: x != "") [
(optionalString (cfg.privkey_ed25519 != null)
"ed25519_key:${cfg.privkey_ed25519}"
)
"rsa_key:${cfg.privkey}"
];
Restart = "always"; Restart = "always";
ExecStart = toString [ ExecStart = toString [
"${cfg.tincPackage}/sbin/tincd" "${cfg.tincPackage}/sbin/tincd"