krebs.systemd.restartIfCredentialsChange: check hashes

2022-12-29 15:22:29 +01:00 · 2022-12-29 15:22:29 +01:00 · 4354fea0b4
commit 4354fea0b4
parent b3c5492b69
1 changed files with 52 additions and 24 deletions
--- a/krebs/3modules/systemd.nix
+++ b/krebs/3modules/systemd.nix
@ -3,8 +3,26 @@

  body.options.krebs.systemd.services = lib.mkOption {
    default = {};
-    type = lib.types.attrsOf (lib.types.submodule {
+    type = lib.types.attrsOf (lib.types.submodule (cfg_: let
+      serviceName = cfg_.config._module.args.name;
+      cfg = config.systemd.services.${serviceName} // cfg_.config;
+    in {
      options = {
+        credentialPaths = lib.mkOption {
+          default =
+            lib.sort
+              lib.lessThan
+              (lib.filter
+                lib.types.absolute-pathname.check
+                (map
+                  (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
+                  (lib.toList cfg.serviceConfig.LoadCredential)));
+          readOnly = true;
+        };
+        credentialUnitName = lib.mkOption {
+          default = "trigger-${lib.systemd.encodeName serviceName}";
+          readOnly = true;
+        };
        restartIfCredentialsChange = lib.mkOption {
          default = false;
          description = ''
@ -15,30 +33,40 @@
          type = lib.types.bool;
        };
      };
-    });
+    }));
  };

-  body.config = {
-    systemd.paths = lib.mapAttrs' (serviceName: _:
-      lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
+  body.config.systemd = lib.mkMerge (lib.mapAttrsToList (serviceName: cfg: {
+    paths.${cfg.credentialUnitName} = {
      wantedBy = [ "multi-user.target" ];
-        pathConfig.PathChanged =
-          lib.filter
-            lib.types.absolute-pathname.check
-            (map
-              (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
-              (lib.toList
-                config.systemd.services.${serviceName}.serviceConfig.LoadCredential));
-      }
-    ) config.krebs.systemd.services;
-
-    systemd.services = lib.mapAttrs' (serviceName: cfg:
-      lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
+      pathConfig.PathChanged = cfg.credentialPaths;
+    };
+    services.${cfg.credentialUnitName} = {
      serviceConfig = {
        Type = "oneshot";
-          ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}";
+        StateDirectory = "credentials";
+        ExecStart = pkgs.writeDash "${cfg.credentialUnitName}.sh" ''
+          set -efu
+
+          PATH=${lib.makeBinPath [
+            pkgs.coreutils
+            pkgs.diffutils
+            pkgs.systemd
+          ]}
+
+          cache=/var/lib/credentials/${lib.shell.escape serviceName}.sha1sum
+          tmpfile=$(mktemp -t "$(basename "$cache")".XXXXXXXX)
+          trap 'rm -f "$tmpfile"' EXIT
+
+          sha1sum ${toString cfg.credentialPaths} > "$tmpfile"
+          if test -f "$cache" && cmp -s "$tmpfile" "$cache"; then
+            exit
+          fi
+          mv "$tmpfile" "$cache"
+
+          systemctl restart ${lib.shell.escape serviceName}
+        '';
      };
-      }
-    ) config.krebs.systemd.services;
    };
+  }) config.krebs.systemd.services);
 }