Add a filesWatcher service to restart them when secrets change

[perso/Immae/Config/Nix.git] / modules / private / buildbot / default.nix

diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
index fa6a6f20f3c4a17d3c6c2cc2bb59a4e2149c6fde..d023a835e83afc5f989496fc45b2e1dd0fe25e7a 100644 (file)
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -37,6 +37,10 @@ in
       extraGroups = [ "keys" ];
     };
 
+    services.websites.tools.watchPaths = lib.attrsets.mapAttrsToList
+      (k: project: "/var/secrets/buildbot/${project.name}/webhook-httpd-include")
+      myconfig.env.buildbot.projects;
+
     services.websites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
         RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"
         RewriteEngine On
@@ -106,6 +110,14 @@ in
       }
     ];
 
+    services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
+      restart = true;
+      paths = [
+        "/var/secrets/buildbot/ldap"
+        "/var/secrets/buildbot/ssh_key"
+      ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
+    }) myconfig.env.buildbot.projects;
+
     systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
       description = "Buildbot Continuous Integration Server ${project.name}.";
       after = [ "network-online.target" ];