--- /dev/null
+{
+ description = "Module to watch fo file changes to force restart systemd service";
+ outputs = { self }: {
+ nixosModule = { config, lib, pkgs, ... }: let cfg = config.services.filesWatcher; in with lib; {
+ options = {
+ services.filesWatcher = with lib.types; mkOption {
+ default = {};
+ description = ''
+ Files to watch and trigger service reload or restart of service
+ when changed.
+ '';
+ type = attrsOf (submodule {
+ options = {
+ restart = mkEnableOption "Restart service rather than reloading it";
+ paths = mkOption {
+ type = listOf str;
+ description = ''
+ Paths to watch that should trigger a reload of the
+ service
+ '';
+ };
+ waitTime = mkOption {
+ type = int;
+ default = 5;
+ description = ''
+ Time to wait before reloading/restarting the service.
+ Set 0 to not wait.
+ '';
+ };
+ };
+ });
+ };
+ };
+
+ config = {
+ systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair "${name}Watcher" {
+ description = "${name} reloader";
+ after = [ "network.target" ];
+ script = let
+ action = if icfg.restart then "restart" else "reload";
+ in ''
+ # Service may be stopped during file modification (e.g. activationScripts)
+ if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then
+ ${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime}
+ ${pkgs.systemd}/bin/systemctl ${action} ${name}.service
+ fi
+ '';
+ serviceConfig.Type = "oneshot";
+ }) cfg;
+
+ systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair "${name}Watcher" {
+ wantedBy = [ "multi-user.target" ];
+ pathConfig.PathChanged = icfg.paths;
+ }) cfg;
+ };
+ };
+ };
+}
--- /dev/null
+{
+ "nodes": {
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1631570365,
+ "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "df7113c0727881519248d4c7d080324e0ee3327b",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "root": {
+ "inputs": {
+ "nixpkgs": "nixpkgs"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
--- /dev/null
+{
+ inputs.nixpkgs.url = "github:NixOS/nixpkgs";
+
+ description = "Useful libs";
+ outputs = { self, nixpkgs }: {
+ lib = rec {
+ computeNarHash = path:
+ let pkgs = import nixpkgs {};
+ in
+ builtins.readFile (pkgs.runCommand "narHash" {
+ buildInputs = [ pkgs.nix ];
+ } "echo -n $(nix hash-path ${path}) > $out");
+
+ withNarKeyCompat = flakeCompat: path: moduleAttrs:
+ let module = (flakeCompat path).${moduleAttrs};
+ narHash = computeNarHash path;
+ in if builtins.isFunction module
+ then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; })
+ else module // { key = narHash; };
+
+ withNarKey = dep: moduleAttrs:
+ let module = dep.${moduleAttrs};
+ in if builtins.isFunction module
+ then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; })
+ else module // { key = dep.narHash; };
+ };
+ };
+}
{
"nodes": {
+ "files-watcher": {
+ "locked": {
+ "narHash": "sha256-6urOJuzXsu4HJHyVmrZHd40SMzzTeHiOiDOM40q53Y0=",
+ "path": "../../files-watcher",
+ "type": "path"
+ },
+ "original": {
+ "path": "../../files-watcher",
+ "type": "path"
+ }
+ },
"flake-utils": {
"locked": {
"lastModified": 1609246779,
"type": "github"
}
},
+ "my-lib": {
+ "inputs": {
+ "nixpkgs": "nixpkgs"
+ },
+ "locked": {
+ "narHash": "sha256-YJREl39cf4zrFdAULMu1Yjg7hIEZCLuCnP8qJvWbIvM=",
+ "path": "../../lib",
+ "type": "path"
+ },
+ "original": {
+ "path": "../../lib",
+ "type": "path"
+ }
+ },
"myuids": {
"locked": {
"dir": "flakes/myuids",
}
},
"nixpkgs": {
+ "locked": {
+ "lastModified": 1631570365,
+ "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "df7113c0727881519248d4c7d080324e0ee3327b",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_2": {
"locked": {
"lastModified": 1597943282,
"narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=",
"inputs": {
"flake-utils": "flake-utils",
"myuids": "myuids",
- "nixpkgs": "nixpkgs",
+ "nixpkgs": "nixpkgs_2",
"openarc": "openarc_2"
},
"locked": {
},
"root": {
"inputs": {
+ "files-watcher": "files-watcher",
+ "my-lib": "my-lib",
"nix-lib": "nix-lib",
"openarc": "openarc"
}
path = "../../openarc";
type = "path";
};
+ inputs.files-watcher = {
+ path = "../../files-watcher";
+ type = "path";
+ };
+ inputs.my-lib = {
+ path = "../../lib";
+ type = "path";
+ };
inputs.nix-lib.url = "github:NixOS/nixpkgs";
description = "Private configuration for openarc";
- outputs = { self, nix-lib, openarc }:
+ outputs = { self, nix-lib, my-lib, files-watcher, openarc }:
let
- cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') {
- services.openarc = {
- enable = true;
- user = "opendkim";
- socket = "local:${config.myServices.mail.milters.sockets.openarc}";
- group = config.services.postfix.group;
- configFile = pkgs.writeText "openarc.conf" ''
- AuthservID mail.immae.eu
- Domain mail.immae.eu
- KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"}
- Mode sv
- Selector eldiron
- SoftwareHeader yes
- Syslog Yes
+ cfg = name': { config, lib, pkgs, name, ... }: {
+ imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") ];
+ config = lib.mkIf (name == name') {
+ services.openarc = {
+ enable = true;
+ user = "opendkim";
+ socket = "local:${config.myServices.mail.milters.sockets.openarc}";
+ group = config.services.postfix.group;
+ configFile = pkgs.writeText "openarc.conf" ''
+ AuthservID mail.immae.eu
+ Domain mail.immae.eu
+ KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"}
+ Mode sv
+ Selector eldiron
+ SoftwareHeader yes
+ Syslog Yes
+ '';
+ };
+ systemd.services.openarc.serviceConfig.Slice = "mail.slice";
+ systemd.services.openarc.postStart = lib.optionalString
+ (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
+ while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
+ sleep 0.5
+ done
+ chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
'';
- };
- systemd.services.openarc.serviceConfig.Slice = "mail.slice";
- systemd.services.openarc.postStart = lib.optionalString
- (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
- while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
- sleep 0.5
- done
- chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
- '';
- services.filesWatcher.openarc = {
- restart = true;
- paths = [
- config.secrets.fullPaths."opendkim/eldiron.private"
- ];
+ services.filesWatcher.openarc = {
+ restart = true;
+ paths = [
+ config.secrets.fullPaths."opendkim/eldiron.private"
+ ];
+ };
};
};
in
{
"nodes": {
+ "files-watcher": {
+ "locked": {
+ "narHash": "sha256-6urOJuzXsu4HJHyVmrZHd40SMzzTeHiOiDOM40q53Y0=",
+ "path": "../../files-watcher",
+ "type": "path"
+ },
+ "original": {
+ "path": "../../files-watcher",
+ "type": "path"
+ }
+ },
"flake-utils": {
"locked": {
"lastModified": 1609246779,
"type": "github"
}
},
+ "my-lib": {
+ "inputs": {
+ "nixpkgs": "nixpkgs"
+ },
+ "locked": {
+ "narHash": "sha256-HGNP1eH7b42BxViYx/F3ZPO9CM1X+5qfA9JoP2ArN+s=",
+ "path": "../../lib",
+ "type": "path"
+ },
+ "original": {
+ "path": "../../lib",
+ "type": "path"
+ }
+ },
"myuids": {
"locked": {
"dir": "flakes/myuids",
}
},
"nixpkgs": {
+ "locked": {
+ "lastModified": 1631570365,
+ "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "df7113c0727881519248d4c7d080324e0ee3327b",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_2": {
"locked": {
"lastModified": 1597943282,
"narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=",
"inputs": {
"flake-utils": "flake-utils",
"myuids": "myuids",
- "nixpkgs": "nixpkgs"
+ "nixpkgs": "nixpkgs_2"
},
"locked": {
"narHash": "sha256-eIe5hzNsp1zz5m4ZMzORwdHuLkhEsKkS7WMpPOJE4ok=",
},
"root": {
"inputs": {
+ "files-watcher": "files-watcher",
+ "my-lib": "my-lib",
"nix-lib": "nix-lib",
"opendmarc": "opendmarc"
}
path = "../../opendmarc";
type = "path";
};
+ inputs.files-watcher = {
+ path = "../../files-watcher";
+ type = "path";
+ };
+ inputs.my-lib = {
+ path = "../../lib";
+ type = "path";
+ };
inputs.nix-lib.url = "github:NixOS/nixpkgs";
description = "Private configuration for opendmarc";
- outputs = { self, nix-lib, opendmarc }:
+ outputs = { self, nix-lib, opendmarc, my-lib, files-watcher }:
let
- cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') {
- users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
- systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
- services.opendmarc = {
- enable = true;
- socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
- configFile = pkgs.writeText "opendmarc.conf" ''
- AuthservID HOSTNAME
- FailureReports false
- FailureReportsBcc postmaster@immae.eu
- FailureReportsOnNone true
- FailureReportsSentBy postmaster@immae.eu
- IgnoreAuthenticatedClients true
- IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
- SoftwareHeader true
- SPFIgnoreResults true
- SPFSelfValidate true
- UMask 002
- '';
- group = config.services.postfix.group;
- };
- services.filesWatcher.opendmarc = {
- restart = true;
- paths = [
- config.secrets.fullPaths."opendmarc/ignore.hosts"
+ cfg = name': { config, lib, pkgs, name, ... }: {
+ imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") ];
+ config = lib.mkIf (name == name') {
+ users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
+ systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
+ services.opendmarc = {
+ enable = true;
+ socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
+ configFile = pkgs.writeText "opendmarc.conf" ''
+ AuthservID HOSTNAME
+ FailureReports false
+ FailureReportsBcc postmaster@immae.eu
+ FailureReportsOnNone true
+ FailureReportsSentBy postmaster@immae.eu
+ IgnoreAuthenticatedClients true
+ IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
+ SoftwareHeader true
+ SPFIgnoreResults true
+ SPFSelfValidate true
+ UMask 002
+ '';
+ group = config.services.postfix.group;
+ };
+ services.filesWatcher.opendmarc = {
+ restart = true;
+ paths = [
+ config.secrets.fullPaths."opendmarc/ignore.hosts"
+ ];
+ };
+ secrets.keys = [
+ {
+ dest = "opendmarc/ignore.hosts";
+ user = config.services.opendmarc.user;
+ group = config.services.opendmarc.group;
+ permissions = "0400";
+ text = let
+ mxes = lib.attrsets.filterAttrs
+ (n: v: v.mx.enable)
+ config.myEnv.servers;
+ in
+ builtins.concatStringsSep "\n" ([
+ config.myEnv.mail.dmarc.ignore_hosts
+ ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
+ }
];
};
- secrets.keys = [
- {
- dest = "opendmarc/ignore.hosts";
- user = config.services.opendmarc.user;
- group = config.services.opendmarc.group;
- permissions = "0400";
- text = let
- mxes = lib.attrsets.filterAttrs
- (n: v: v.mx.enable)
- config.myEnv.servers;
- in
- builtins.concatStringsSep "\n" ([
- config.myEnv.mail.dmarc.ignore_hosts
- ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
- }
- ];
};
in
opendmarc.outputs //
let
flakeCompat = import ../lib/flake-compat.nix;
+ flakeLib = (flakeCompat ../flakes/lib).lib;
in
{
myids = (flakeCompat ../flakes/myuids).nixosModule;
secrets = ./secrets.nix;
- filesWatcher = ./filesWatcher.nix;
+ filesWatcher = flakeLib.withNarKeyCompat flakeCompat ../flakes/files-watcher "nixosModule";
webstats = ./webapps/webstats;
diaspora = ./webapps/diaspora.nix;
+++ /dev/null
-{ lib, config, pkgs, ... }:
-with lib;
-let
- cfg = config.services.filesWatcher;
-in
-{
- options = {
- services.filesWatcher = with types; mkOption {
- default = {};
- description = ''
- Files to watch and trigger service reload or restart of service
- when changed.
- '';
- type = attrsOf (submodule {
- options = {
- restart = mkEnableOption "Restart service rather than reloading it";
- paths = mkOption {
- type = listOf str;
- description = ''
- Paths to watch that should trigger a reload of the
- service
- '';
- };
- waitTime = mkOption {
- type = int;
- default = 5;
- description = ''
- Time to wait before reloading/restarting the service.
- Set 0 to not wait.
- '';
- };
- };
- });
- };
- };
-
- config.systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
- "${name}Watcher" {
- description = "${name} reloader";
- after = [ "network.target" ];
- script = let
- action = if icfg.restart then "restart" else "reload";
- in ''
- # Service may be stopped during file modification (e.g. activationScripts)
- if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then
- ${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime}
- ${pkgs.systemd}/bin/systemctl ${action} ${name}.service
- fi
- '';
- serviceConfig = {
- Type = "oneshot";
- };
- }
- ) cfg;
- config.systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
- "${name}Watcher" {
- wantedBy = [ "multi-user.target" ];
- pathConfig.PathChanged = icfg.paths;
- }
- ) cfg;
-}