krebs.systemd.restartIfCredentialsChange: default = false

2022-12-29 13:44:45 +01:00 · 2022-12-29 13:44:45 +01:00 · b3c5492b69
parent 2a63d78060
commit b3c5492b69
6 changed files with 8 additions and 9 deletions
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@ -108,7 +108,7 @@ let
  };

  imp = {
-    krebs.systemd.services.exim = {};
+    krebs.systemd.services.exim.restartIfCredentialsChange = true;
    systemd.services.exim.serviceConfig.LoadCredential =
      map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim;
    krebs.exim = {
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@ -159,7 +159,9 @@ let
    ) cfg.repos;

    krebs.systemd.services = mapAttrs' (name: _:
-      nameValuePair "repo-sync-${name}" {}
+      nameValuePair "repo-sync-${name}" {
+        restartIfCredentialsChange = true;
+      }
    ) cfg.repos;

    systemd.services = mapAttrs' (name: repo:
--- a/krebs/3modules/systemd.nix
+++ b/krebs/3modules/systemd.nix
@ -6,11 +6,7 @@
    type = lib.types.attrsOf (lib.types.submodule {
      options = {
        restartIfCredentialsChange = lib.mkOption {
-          # Enabling this by default only makes sense here as the user already
-          # bothered to write down krebs.systemd.services.* = {}.  If this
-          # functionality gets upstreamed to systemd.services, restarting
-          # should be disabled by default.
-          default = true;
+          default = false;
          description = ''
            Whether to restart the service whenever any of its credentials
            change.  Only credentials with an absolute path in LoadCredential=
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@ -232,6 +232,7 @@ with import <stockholm/lib>;
    ) config.krebs.tinc;

    krebs.systemd.services = mapAttrs (netname: cfg: {
+      restartIfCredentialsChange = true;
    }) config.krebs.tinc;

    systemd.services = mapAttrs (netname: cfg: {
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@ -127,7 +127,7 @@ in {
      })
    ];

-    krebs.systemd.services.ejabberd = {};
+    krebs.systemd.services.ejabberd.restartIfCredentialsChange = true;

    systemd.services.ejabberd = {
      wantedBy = [ "multi-user.target" ];
--- a/tv/3modules/x0vncserver.nix
+++ b/tv/3modules/x0vncserver.nix
@ -26,7 +26,7 @@ in {
    };
  };
  config = mkIf cfg.enable {
-    krebs.systemd.services.x0vncserver = {};
+    krebs.systemd.services.x0vncserver.restartIfCredentialsChange = true;
    systemd.services.x0vncserver = {
      after = [ "graphical.target" ];
      requires = [ "graphical.target" ];