2280c39d3e
Because new credentials won't be available after reloading, only after restarting.
49 lines
1.7 KiB
Nix
49 lines
1.7 KiB
Nix
{ config, pkgs, ... }: let {
|
|
lib = import ../../lib;
|
|
|
|
body.options.krebs.systemd.services = lib.mkOption {
|
|
default = {};
|
|
type = lib.types.attrsOf (lib.types.submodule {
|
|
options = {
|
|
restartIfCredentialsChange = lib.mkOption {
|
|
# Enabling this by default only makes sense here as the user already
|
|
# bothered to write down krebs.systemd.services.* = {}. If this
|
|
# functionality gets upstreamed to systemd.services, restarting
|
|
# should be disabled by default.
|
|
default = true;
|
|
description = ''
|
|
Whether to restart the service whenever any of its credentials
|
|
change. Only credentials with an absolute path in LoadCredential=
|
|
are supported.
|
|
'';
|
|
type = lib.types.bool;
|
|
};
|
|
};
|
|
});
|
|
};
|
|
|
|
body.config = {
|
|
systemd.paths = lib.mapAttrs' (serviceName: _:
|
|
lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
|
|
wantedBy = [ "multi-user.target" ];
|
|
pathConfig.PathChanged =
|
|
lib.filter
|
|
lib.types.absolute-pathname.check
|
|
(map
|
|
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
|
|
(lib.toList
|
|
config.systemd.services.${serviceName}.serviceConfig.LoadCredential));
|
|
}
|
|
) config.krebs.systemd.services;
|
|
|
|
systemd.services = lib.mapAttrs' (serviceName: cfg:
|
|
lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}";
|
|
};
|
|
}
|
|
) config.krebs.systemd.services;
|
|
};
|
|
}
|