From 27dd65fc95a91155367acbe15754dc22c8869552 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 13 Sep 2021 01:00:43 +0200 Subject: [PATCH] Add filesWatcher flake --- flakes/files-watcher/flake.nix | 58 ++++++++++++++++++ flakes/lib/flake.lock | 26 ++++++++ flakes/lib/flake.nix | 28 +++++++++ flakes/private/openarc/flake.lock | 44 ++++++++++++- flakes/private/openarc/flake.nix | 69 ++++++++++++--------- flakes/private/opendmarc/flake.lock | 44 ++++++++++++- flakes/private/opendmarc/flake.nix | 95 ++++++++++++++++------------- modules/default.nix | 3 +- modules/filesWatcher.nix | 61 ------------------ 9 files changed, 293 insertions(+), 135 deletions(-) create mode 100644 flakes/files-watcher/flake.nix create mode 100644 flakes/lib/flake.lock create mode 100644 flakes/lib/flake.nix delete mode 100644 modules/filesWatcher.nix diff --git a/flakes/files-watcher/flake.nix b/flakes/files-watcher/flake.nix new file mode 100644 index 0000000..29ea428 --- /dev/null +++ b/flakes/files-watcher/flake.nix @@ -0,0 +1,58 @@ +{ + description = "Module to watch fo file changes to force restart systemd service"; + outputs = { self }: { + nixosModule = { config, lib, pkgs, ... }: let cfg = config.services.filesWatcher; in with lib; { + options = { + services.filesWatcher = with lib.types; mkOption { + default = {}; + description = '' + Files to watch and trigger service reload or restart of service + when changed. + ''; + type = attrsOf (submodule { + options = { + restart = mkEnableOption "Restart service rather than reloading it"; + paths = mkOption { + type = listOf str; + description = '' + Paths to watch that should trigger a reload of the + service + ''; + }; + waitTime = mkOption { + type = int; + default = 5; + description = '' + Time to wait before reloading/restarting the service. + Set 0 to not wait. + ''; + }; + }; + }); + }; + }; + + config = { + systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair "${name}Watcher" { + description = "${name} reloader"; + after = [ "network.target" ]; + script = let + action = if icfg.restart then "restart" else "reload"; + in '' + # Service may be stopped during file modification (e.g. activationScripts) + if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then + ${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime} + ${pkgs.systemd}/bin/systemctl ${action} ${name}.service + fi + ''; + serviceConfig.Type = "oneshot"; + }) cfg; + + systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair "${name}Watcher" { + wantedBy = [ "multi-user.target" ]; + pathConfig.PathChanged = icfg.paths; + }) cfg; + }; + }; + }; +} diff --git a/flakes/lib/flake.lock b/flakes/lib/flake.lock new file mode 100644 index 0000000..3e0b21e --- /dev/null +++ b/flakes/lib/flake.lock @@ -0,0 +1,26 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1631570365, + "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "df7113c0727881519248d4c7d080324e0ee3327b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flakes/lib/flake.nix b/flakes/lib/flake.nix new file mode 100644 index 0000000..8faa136 --- /dev/null +++ b/flakes/lib/flake.nix @@ -0,0 +1,28 @@ +{ + inputs.nixpkgs.url = "github:NixOS/nixpkgs"; + + description = "Useful libs"; + outputs = { self, nixpkgs }: { + lib = rec { + computeNarHash = path: + let pkgs = import nixpkgs {}; + in + builtins.readFile (pkgs.runCommand "narHash" { + buildInputs = [ pkgs.nix ]; + } "echo -n $(nix hash-path ${path}) > $out"); + + withNarKeyCompat = flakeCompat: path: moduleAttrs: + let module = (flakeCompat path).${moduleAttrs}; + narHash = computeNarHash path; + in if builtins.isFunction module + then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; }) + else module // { key = narHash; }; + + withNarKey = dep: moduleAttrs: + let module = dep.${moduleAttrs}; + in if builtins.isFunction module + then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; }) + else module // { key = dep.narHash; }; + }; + }; +} diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock index f15e441..76ddaed 100644 --- a/flakes/private/openarc/flake.lock +++ b/flakes/private/openarc/flake.lock @@ -1,5 +1,16 @@ { "nodes": { + "files-watcher": { + "locked": { + "narHash": "sha256-6urOJuzXsu4HJHyVmrZHd40SMzzTeHiOiDOM40q53Y0=", + "path": "../../files-watcher", + "type": "path" + }, + "original": { + "path": "../../files-watcher", + "type": "path" + } + }, "flake-utils": { "locked": { "lastModified": 1609246779, @@ -15,6 +26,20 @@ "type": "github" } }, + "my-lib": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "narHash": "sha256-YJREl39cf4zrFdAULMu1Yjg7hIEZCLuCnP8qJvWbIvM=", + "path": "../../lib", + "type": "path" + }, + "original": { + "path": "../../lib", + "type": "path" + } + }, "myuids": { "locked": { "dir": "flakes/myuids", @@ -48,6 +73,21 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1631570365, + "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "df7113c0727881519248d4c7d080324e0ee3327b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1597943282, "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", @@ -66,7 +106,7 @@ "inputs": { "flake-utils": "flake-utils", "myuids": "myuids", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "openarc": "openarc_2" }, "locked": { @@ -97,6 +137,8 @@ }, "root": { "inputs": { + "files-watcher": "files-watcher", + "my-lib": "my-lib", "nix-lib": "nix-lib", "openarc": "openarc" } diff --git a/flakes/private/openarc/flake.nix b/flakes/private/openarc/flake.nix index fd8ec56..9cc9aed 100644 --- a/flakes/private/openarc/flake.nix +++ b/flakes/private/openarc/flake.nix @@ -3,40 +3,51 @@ path = "../../openarc"; type = "path"; }; + inputs.files-watcher = { + path = "../../files-watcher"; + type = "path"; + }; + inputs.my-lib = { + path = "../../lib"; + type = "path"; + }; inputs.nix-lib.url = "github:NixOS/nixpkgs"; description = "Private configuration for openarc"; - outputs = { self, nix-lib, openarc }: + outputs = { self, nix-lib, my-lib, files-watcher, openarc }: let - cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { - services.openarc = { - enable = true; - user = "opendkim"; - socket = "local:${config.myServices.mail.milters.sockets.openarc}"; - group = config.services.postfix.group; - configFile = pkgs.writeText "openarc.conf" '' - AuthservID mail.immae.eu - Domain mail.immae.eu - KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} - Mode sv - Selector eldiron - SoftwareHeader yes - Syslog Yes + cfg = name': { config, lib, pkgs, name, ... }: { + imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") ]; + config = lib.mkIf (name == name') { + services.openarc = { + enable = true; + user = "opendkim"; + socket = "local:${config.myServices.mail.milters.sockets.openarc}"; + group = config.services.postfix.group; + configFile = pkgs.writeText "openarc.conf" '' + AuthservID mail.immae.eu + Domain mail.immae.eu + KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} + Mode sv + Selector eldiron + SoftwareHeader yes + Syslog Yes + ''; + }; + systemd.services.openarc.serviceConfig.Slice = "mail.slice"; + systemd.services.openarc.postStart = lib.optionalString + (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' + while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do + sleep 0.5 + done + chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} ''; - }; - systemd.services.openarc.serviceConfig.Slice = "mail.slice"; - systemd.services.openarc.postStart = lib.optionalString - (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' - while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do - sleep 0.5 - done - chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} - ''; - services.filesWatcher.openarc = { - restart = true; - paths = [ - config.secrets.fullPaths."opendkim/eldiron.private" - ]; + services.filesWatcher.openarc = { + restart = true; + paths = [ + config.secrets.fullPaths."opendkim/eldiron.private" + ]; + }; }; }; in diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock index 33e00a4..ea056e5 100644 --- a/flakes/private/opendmarc/flake.lock +++ b/flakes/private/opendmarc/flake.lock @@ -1,5 +1,16 @@ { "nodes": { + "files-watcher": { + "locked": { + "narHash": "sha256-6urOJuzXsu4HJHyVmrZHd40SMzzTeHiOiDOM40q53Y0=", + "path": "../../files-watcher", + "type": "path" + }, + "original": { + "path": "../../files-watcher", + "type": "path" + } + }, "flake-utils": { "locked": { "lastModified": 1609246779, @@ -15,6 +26,20 @@ "type": "github" } }, + "my-lib": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "narHash": "sha256-HGNP1eH7b42BxViYx/F3ZPO9CM1X+5qfA9JoP2ArN+s=", + "path": "../../lib", + "type": "path" + }, + "original": { + "path": "../../lib", + "type": "path" + } + }, "myuids": { "locked": { "dir": "flakes/myuids", @@ -48,6 +73,21 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1631570365, + "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "df7113c0727881519248d4c7d080324e0ee3327b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1597943282, "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", @@ -66,7 +106,7 @@ "inputs": { "flake-utils": "flake-utils", "myuids": "myuids", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "narHash": "sha256-eIe5hzNsp1zz5m4ZMzORwdHuLkhEsKkS7WMpPOJE4ok=", @@ -80,6 +120,8 @@ }, "root": { "inputs": { + "files-watcher": "files-watcher", + "my-lib": "my-lib", "nix-lib": "nix-lib", "opendmarc": "opendmarc" } diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix index ae96c30..4b54ccf 100644 --- a/flakes/private/opendmarc/flake.nix +++ b/flakes/private/opendmarc/flake.nix @@ -3,54 +3,65 @@ path = "../../opendmarc"; type = "path"; }; + inputs.files-watcher = { + path = "../../files-watcher"; + type = "path"; + }; + inputs.my-lib = { + path = "../../lib"; + type = "path"; + }; inputs.nix-lib.url = "github:NixOS/nixpkgs"; description = "Private configuration for opendmarc"; - outputs = { self, nix-lib, opendmarc }: + outputs = { self, nix-lib, opendmarc, my-lib, files-watcher }: let - cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { - users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; - systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; - services.opendmarc = { - enable = true; - socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; - configFile = pkgs.writeText "opendmarc.conf" '' - AuthservID HOSTNAME - FailureReports false - FailureReportsBcc postmaster@immae.eu - FailureReportsOnNone true - FailureReportsSentBy postmaster@immae.eu - IgnoreAuthenticatedClients true - IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} - SoftwareHeader true - SPFIgnoreResults true - SPFSelfValidate true - UMask 002 - ''; - group = config.services.postfix.group; - }; - services.filesWatcher.opendmarc = { - restart = true; - paths = [ - config.secrets.fullPaths."opendmarc/ignore.hosts" + cfg = name': { config, lib, pkgs, name, ... }: { + imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") ]; + config = lib.mkIf (name == name') { + users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; + systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; + services.opendmarc = { + enable = true; + socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; + configFile = pkgs.writeText "opendmarc.conf" '' + AuthservID HOSTNAME + FailureReports false + FailureReportsBcc postmaster@immae.eu + FailureReportsOnNone true + FailureReportsSentBy postmaster@immae.eu + IgnoreAuthenticatedClients true + IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} + SoftwareHeader true + SPFIgnoreResults true + SPFSelfValidate true + UMask 002 + ''; + group = config.services.postfix.group; + }; + services.filesWatcher.opendmarc = { + restart = true; + paths = [ + config.secrets.fullPaths."opendmarc/ignore.hosts" + ]; + }; + secrets.keys = [ + { + dest = "opendmarc/ignore.hosts"; + user = config.services.opendmarc.user; + group = config.services.opendmarc.group; + permissions = "0400"; + text = let + mxes = lib.attrsets.filterAttrs + (n: v: v.mx.enable) + config.myEnv.servers; + in + builtins.concatStringsSep "\n" ([ + config.myEnv.mail.dmarc.ignore_hosts + ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); + } ]; }; - secrets.keys = [ - { - dest = "opendmarc/ignore.hosts"; - user = config.services.opendmarc.user; - group = config.services.opendmarc.group; - permissions = "0400"; - text = let - mxes = lib.attrsets.filterAttrs - (n: v: v.mx.enable) - config.myEnv.servers; - in - builtins.concatStringsSep "\n" ([ - config.myEnv.mail.dmarc.ignore_hosts - ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); - } - ]; }; in opendmarc.outputs // diff --git a/modules/default.nix b/modules/default.nix index 7ce1cc2..5359e9c 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,10 +1,11 @@ let flakeCompat = import ../lib/flake-compat.nix; + flakeLib = (flakeCompat ../flakes/lib).lib; in { myids = (flakeCompat ../flakes/myuids).nixosModule; secrets = ./secrets.nix; - filesWatcher = ./filesWatcher.nix; + filesWatcher = flakeLib.withNarKeyCompat flakeCompat ../flakes/files-watcher "nixosModule"; webstats = ./webapps/webstats; diaspora = ./webapps/diaspora.nix; diff --git a/modules/filesWatcher.nix b/modules/filesWatcher.nix deleted file mode 100644 index 4444027..0000000 --- a/modules/filesWatcher.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ lib, config, pkgs, ... }: -with lib; -let - cfg = config.services.filesWatcher; -in -{ - options = { - services.filesWatcher = with types; mkOption { - default = {}; - description = '' - Files to watch and trigger service reload or restart of service - when changed. - ''; - type = attrsOf (submodule { - options = { - restart = mkEnableOption "Restart service rather than reloading it"; - paths = mkOption { - type = listOf str; - description = '' - Paths to watch that should trigger a reload of the - service - ''; - }; - waitTime = mkOption { - type = int; - default = 5; - description = '' - Time to wait before reloading/restarting the service. - Set 0 to not wait. - ''; - }; - }; - }); - }; - }; - - config.systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair - "${name}Watcher" { - description = "${name} reloader"; - after = [ "network.target" ]; - script = let - action = if icfg.restart then "restart" else "reload"; - in '' - # Service may be stopped during file modification (e.g. activationScripts) - if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then - ${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime} - ${pkgs.systemd}/bin/systemctl ${action} ${name}.service - fi - ''; - serviceConfig = { - Type = "oneshot"; - }; - } - ) cfg; - config.systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair - "${name}Watcher" { - wantedBy = [ "multi-user.target" ]; - pathConfig.PathChanged = icfg.paths; - } - ) cfg; -} -- 2.41.0