Add a filesWatcher service to restart them when secrets change

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-06-01 00:01:46 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-06-01 00:01:46 +0200
commit: 17f6eae9907a122d4472da727ae8b1ac1c40c027 (patch)
tree: 133ab8877a47ec707cb8c96e561a29e45395fce6
parent: f33aade75160a345a721fd60451b9edaa4d10e44 (diff)
download: Nix-17f6eae9907a122d4472da727ae8b1ac1c40c027.tar.gz
Nix-17f6eae9907a122d4472da727ae8b1ac1c40c027.tar.zst
Nix-17f6eae9907a122d4472da727ae8b1ac1c40c027.zip
25 files changed, 197 insertions, 6 deletions
diff --git a/modules/default.nix b/modules/default.nix
index acb0bb5..e36f1a0 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,6 +1,7 @@
 {
  myids = ./myids.nix;
  secrets = ./secrets.nix;
+  filesWatcher = ./filesWatcher.nix;
  webstats = ./webapps/webstats;
  diaspora = ./webapps/diaspora.nix;
diff --git a/modules/filesWatcher.nix b/modules/filesWatcher.nix
new file mode 100644
index 0000000..4444027
--- /dev/null
+++ b/modules/filesWatcher.nix
@@ -0,0 +1,61 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.filesWatcher;
+in
+{
+  options = {
+    services.filesWatcher = with types; mkOption {
+      default = {};
+      description = ''
+        Files to watch and trigger service reload or restart of service
+        when changed.
+        '';
+        type = attrsOf (submodule {
+          options = {
+            restart = mkEnableOption "Restart service rather than reloading it";
+            paths = mkOption {
+              type = listOf str;
+              description = ''
+                Paths to watch that should trigger a reload of the
+                service
+                '';
+            };
+            waitTime = mkOption {
+              type = int;
+              default = 5;
+              description = ''
+                Time to wait before reloading/restarting the service.
+                Set 0 to not wait.
+                '';
+            };
+          };
+      });
+    };
+  };
+  config.systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+    "${name}Watcher" {
+      description = "${name} reloader";
+      after = [ "network.target" ];
+      script = let
+        action = if icfg.restart then "restart" else "reload";
+      in ''
+        # Service may be stopped during file modification (e.g. activationScripts)
+        if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then
+          ${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime}
+          ${pkgs.systemd}/bin/systemctl ${action} ${name}.service
+        fi
+        '';
+      serviceConfig = {
+        Type = "oneshot";
+      };
+    }
+  ) cfg;
+  config.systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+    "${name}Watcher" {
+      wantedBy = [ "multi-user.target" ];
+      pathConfig.PathChanged = icfg.paths;
+    }
+  ) cfg;
+}
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
index fa6a6f2..d023a83 100644
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -37,6 +37,10 @@ in
      extraGroups = [ "keys" ];
    };
+    services.websites.tools.watchPaths = lib.attrsets.mapAttrsToList
+      (k: project: "/var/secrets/buildbot/${project.name}/webhook-httpd-include")
+      myconfig.env.buildbot.projects;
    services.websites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
        RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"
        RewriteEngine On
@@ -106,6 +110,14 @@ in
      }
    ];
+    services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
+      restart = true;
+      paths = [
+        "/var/secrets/buildbot/ldap"
+        "/var/secrets/buildbot/ssh_key"
+      ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
+    }) myconfig.env.buildbot.projects;
    systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
      description = "Buildbot Continuous Integration Server ${project.name}.";
      after = [ "network-online.target" ];
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index e048d56..f09113a 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -144,6 +144,11 @@ in
      '';
    };
+    services.filesWatcher.openldap = {
+      restart = true;
+      paths = [ "${config.secrets.location}/ldap/" ];
+    };
    services.openldap = {
      enable = true;
      dataDir = cfg.dataDir;
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index ada5f41..59cae59 100644
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -72,6 +72,11 @@ in
        '';
    }];
+    services.filesWatcher.pure-ftpd = {
+      restart = true;
+      paths = [ "/var/secrets/pure-ftpd-ldap" ];
+    };
    systemd.services.pure-ftpd = let
      configFile = pkgs.writeText "pure-ftpd.conf" ''
        PassivePortRange             40000 50000
diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix
index 9903bdf..17454d7 100644
--- a/modules/private/mpd.nix
+++ b/modules/private/mpd.nix
@@ -20,6 +20,11 @@
    networking.firewall.allowedTCPPorts = [ 6600 ];
    users.users.mpd.extraGroups = [ "wwwrun" "keys" ];
    systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd";
+    services.filesWatcher.mpd = {
+      restart = true;
+      paths = [ "/var/secrets/mpd-config" ];
+    };
    services.mpd = {
      enable = true;
      network.listenAddress = "any";
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index 30f49ee..83a1b61 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -101,6 +101,7 @@ in {
          SetEnv TASKD_LDAP_FILTER   "${env.ldap.search}"
        '';
    }];
+    services.websites.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ];
    services.websites.tools.modules = [ "proxy_fcgi" "sed" ];
    services.websites.tools.vhostConfs.task = {
      certName    = "eldiron";
diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix
index 748e388..384b324 100644
--- a/modules/private/websites/aten/integration.nix
+++ b/modules/private/websites/aten/integration.nix
@@ -27,6 +27,9 @@ in {
      root        = aten.apache.root;
      extraConfig = [ aten.apache.vhostConf ];
    };
+    services.websites.integration.watchPaths = [
+      "/var/secrets/webapps/${aten.app.environment}-aten"
+    ];
  };
 }
diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix
index 7a4adb5..1a55e8a 100644
--- a/modules/private/websites/aten/production.nix
+++ b/modules/private/websites/aten/production.nix
@@ -29,6 +29,8 @@ in {
      root         = aten.apache.root;
      extraConfig  = [ aten.apache.vhostConf ];
    };
+    services.websites.production.watchPaths = [
+      "/var/secrets/webapps/${aten.app.environment}-aten"
+    ];
  };
 }
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix
index c42a428..25ec4db 100644
--- a/modules/private/websites/chloe/integration.nix
+++ b/modules/private/websites/chloe/integration.nix
@@ -32,5 +32,8 @@ in {
      root        = chloe.apache.root;
      extraConfig = [ chloe.apache.vhostConf ];
    };
+    services.websites.integration.watchPaths = [
+      "/var/secrets/webapps/${chloe.app.environment}-chloe"
+    ];
  };
 }
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix
index 0bf2d8f..6e0c34d 100644
--- a/modules/private/websites/chloe/production.nix
+++ b/modules/private/websites/chloe/production.nix
@@ -34,5 +34,8 @@ in {
      root         = chloe.apache.root;
      extraConfig  = [ chloe.apache.vhostConf ];
    };
+    services.websites.production.watchPaths = [
+      "/var/secrets/webapps/${chloe.app.environment}-chloe"
+    ];
  };
 }
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix
index 1d8488a..7d77ac7 100644
--- a/modules/private/websites/connexionswing/integration.nix
+++ b/modules/private/websites/connexionswing/integration.nix
@@ -31,6 +31,10 @@ in {
      root        = connexionswing.apache.root;
      extraConfig = [ connexionswing.apache.vhostConf ];
    };
+    services.filesWatcher.phpfpm-connexionswing_dev = {
+      restart = true;
+      paths = [ "/var/secrets/webapps/${connexionswing.app.environment}-connexionswing" ];
+    };
  };
 }
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
index 555f129..f4cb377 100644
--- a/modules/private/websites/connexionswing/production.nix
+++ b/modules/private/websites/connexionswing/production.nix
@@ -33,6 +33,10 @@ in {
      root         = connexionswing.apache.root;
      extraConfig  = [ connexionswing.apache.vhostConf ];
    };
+    services.filesWatcher.phpfpm-connexionswing_prod = {
+      restart = true;
+      paths = [ "/var/secrets/webapps/${connexionswing.app.environment}-connexionswing" ];
+    };
  };
 }
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix
index 8b02977..c3d941c 100644
--- a/modules/private/websites/default.nix
+++ b/modules/private/websites/default.nix
@@ -138,6 +138,10 @@ in
        '';
    };
+    services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ];
+    services.filesWatcher.httpdInte.paths = [ "/var/secrets/apache-ldap" ];
+    services.filesWatcher.httpdTools.paths = [ "/var/secrets/apache-ldap" ];
    services.websites.production = {
      enable = true;
      adminAddr = "httpd@immae.eu";
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix
index 3a6d152..55fb3cb 100644
--- a/modules/private/websites/florian/app.nix
+++ b/modules/private/websites/florian/app.nix
@@ -32,5 +32,9 @@ in {
        adminer.apache.vhostConf
      ];
    };
+    services.filesWatcher.phpfpm-tellesflorian_dev = {
+      restart = true;
+      paths = [ "/var/secrets/webapps/${tellesflorian.app.environment}-tellesflorian" ];
+    };
  };
 }
diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix
index ed0dc9f..f0ef3a6 100644
--- a/modules/private/websites/ludivinecassal/integration.nix
+++ b/modules/private/websites/ludivinecassal/integration.nix
@@ -28,5 +28,9 @@ in {
      root        = ludivinecassal.apache.root;
      extraConfig = [ ludivinecassal.apache.vhostConf ];
    };
+    services.filesWatcher.phpfpm-ludivinecassal_dev = {
+      restart = true;
+      paths = [ "/var/secrets/webapps/${ludivinecassal.app.environment}-ludivinecassal" ];
+    };
  };
 }
diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix
index 3df5613..6a22d98 100644
--- a/modules/private/websites/ludivinecassal/production.nix
+++ b/modules/private/websites/ludivinecassal/production.nix
@@ -29,5 +29,9 @@ in {
      root         = ludivinecassal.apache.root;
      extraConfig  = [ ludivinecassal.apache.vhostConf ];
    };
+    services.filesWatcher.phpfpm-ludivinecassal_prod = {
+      restart = true;
+      paths = [ "/var/secrets/webapps/${ludivinecassal.app.environment}-ludivinecassal" ];
+    };
  };
 }
diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix
index efa1fab..6742a81 100644
--- a/modules/private/websites/tools/diaspora/default.nix
+++ b/modules/private/websites/tools/diaspora/default.nix
@@ -145,6 +145,11 @@ in {
      configDir = "/var/secrets/webapps/diaspora";
    };
+    services.filesWatcher.diaspora = {
+      restart = true;
+      paths = [ dcfg.configDir ];
+    };
    services.websites.tools.modules = [
      "headers" "proxy" "proxy_http"
    ];
diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix
index ebcbf61..3e68d54 100644
--- a/modules/private/websites/tools/ether/default.nix
+++ b/modules/private/websites/tools/ether/default.nix
@@ -133,6 +133,11 @@ in {
    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
+    services.filesWatcher.etherpad-lite = {
+      restart = true;
+      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
+    };
    services.websites.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix
index d742a33..1a4b387 100644
--- a/modules/private/websites/tools/mastodon/default.nix
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -63,6 +63,19 @@ in {
      socketsPrefix = "live_immae";
      dataDir = "/var/lib/mastodon_immae";
    };
+    services.filesWatcher.mastodon-streaming = {
+      restart = true;
+      paths = [ mcfg.configFile ];
+    };
+    services.filesWatcher.mastodon-web = {
+      restart = true;
+      paths = [ mcfg.configFile ];
+    };
+    services.filesWatcher.mastodon-sidekiq = {
+      restart = true;
+      paths = [ mcfg.configFile ];
+    };
    services.websites.tools.modules = [
      "headers" "proxy" "proxy_wstunnel" "proxy_http"
diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix
index 5da81f6..1d398db 100644
--- a/modules/private/websites/tools/mgoblin/default.nix
+++ b/modules/private/websites/tools/mgoblin/default.nix
@@ -78,6 +78,14 @@ in {
      plugins    = builtins.attrValues pkgs.webapps.mediagoblin-plugins;
      configFile = "/var/secrets/webapps/tools-mediagoblin";
    };
+    services.filesWatcher.mediagoblin-web = {
+      restart = true;
+      paths = [ mcfg.configFile ];
+    };
+    services.filesWatcher.mediagoblin-celeryd = {
+      restart = true;
+      paths = [ mcfg.configFile ];
+    };
    services.websites.tools.modules = [
      "proxy" "proxy_http"
diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix
index dee1b81..dd28530 100644
--- a/modules/private/websites/tools/peertube/default.nix
+++ b/modules/private/websites/tools/peertube/default.nix
@@ -153,6 +153,11 @@ in {
    services.websites.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
+    services.filesWatcher.peertube = {
+      restart = true;
+      paths = [ pcfg.configFile ];
+    };
    services.websites.tools.vhostConfs.peertube = {
      certName    = "eldiron";
      addToCerts  = true;
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index 94a2be1..d75def4 100644
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -212,6 +212,11 @@ in {
      };
    };
+    services.filesWatcher.ympd = {
+      restart = true;
+      paths = [ "/var/secrets/mpd" ];
+    };
    services.phpfpm.pools.roundcubemail = {
      listen = roundcubemail.phpFpm.socket;
      extraConfig = roundcubemail.phpFpm.pool;
@@ -297,6 +302,13 @@ in {
      "${kanboard.apache.webappName}" = kanboard.webRoot;
    };
+    services.websites.tools.watchPaths = [
+      "/var/secrets/webapps/tools-wallabag"
+    ];
+    services.filesWatcher.phpfpm-wallabag = {
+      restart = true;
+      paths = [ "/var/secrets/webapps/tools-wallabag" ];
+    };
  };
 }
diff --git a/modules/secrets.nix b/modules/secrets.nix
index b282e56..808b15c 100644
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -39,11 +39,15 @@
        if [ -f /run/keys/secrets.tar ]; then
          if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
            echo "rebuilding secrets"
-            rm -rf ${location}
+            TMP=$(${pkgs.coreutils}/bin/mktemp -d)
-            install -m0750 -o root -g keys -d ${location}
+            if [ -n "$TMP" ]; then
-            ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
+              install -m0750 -o root -g keys -d $TMP
-            sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
+              ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar
-            find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+              sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
+              find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+              ${pkgs.rsync}/bin/rsync -O -c -av --delete $TMP/ ${location}
+              rm -rf $TMP
+            fi
          fi
        fi
        '';
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index e57f505..4b21efb 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -91,6 +91,13 @@ in
            };
          });
        };
+        watchPaths = mkOption {
+          type = listOf string;
+          default = [];
+          description = ''
+            Paths to watch that should trigger a reload of httpd
+            '';
+        };
      };
    });
  };
@@ -159,6 +166,13 @@ in
    })
  ) cfg;
+  config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+    "httpd${icfg.httpdName}" {
+      paths = icfg.watchPaths;
+      waitTime = 5;
+    }
+  ) cfg;
  config.security.acme.certs = let
    typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
    flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-06-01 00:01:46 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-06-01 00:01:46 +0200
commit	17f6eae9907a122d4472da727ae8b1ac1c40c027 (patch)
tree	133ab8877a47ec707cb8c96e561a29e45395fce6
parent	f33aade75160a345a721fd60451b9edaa4d10e44 (diff)
download	Nix-17f6eae9907a122d4472da727ae8b1ac1c40c027.tar.gz Nix-17f6eae9907a122d4472da727ae8b1ac1c40c027.tar.zst Nix-17f6eae9907a122d4472da727ae8b1ac1c40c027.zip

diff --git a/modules/default.nix b/modules/default.nix index acb0bb5..e36f1a0 100644 --- a/modules/default.nix +++ b/modules/default.nix
@@ -1,6 +1,7 @@
1	{	1	{
2	myids = ./myids.nix;	2	myids = ./myids.nix;
3	secrets = ./secrets.nix;	3	secrets = ./secrets.nix;
		4	filesWatcher = ./filesWatcher.nix;
4		5
5	webstats = ./webapps/webstats;	6	webstats = ./webapps/webstats;
6	diaspora = ./webapps/diaspora.nix;	7	diaspora = ./webapps/diaspora.nix;


diff --git a/modules/filesWatcher.nix b/modules/filesWatcher.nix new file mode 100644 index 0000000..4444027 --- /dev/null +++ b/modules/filesWatcher.nix
@@ -0,0 +1,61 @@
		1	{ lib, config, pkgs, ... }:
		2	with lib;
		3	let
		4	cfg = config.services.filesWatcher;
		5	in
		6	{
		7	options = {
		8	services.filesWatcher = with types; mkOption {
		9	default = {};
		10	description = ''
		11	Files to watch and trigger service reload or restart of service
		12	when changed.
		13	'';
		14	type = attrsOf (submodule {
		15	options = {
		16	restart = mkEnableOption "Restart service rather than reloading it";
		17	paths = mkOption {
		18	type = listOf str;
		19	description = ''
		20	Paths to watch that should trigger a reload of the
		21	service
		22	'';
		23	};
		24	waitTime = mkOption {
		25	type = int;
		26	default = 5;
		27	description = ''
		28	Time to wait before reloading/restarting the service.
		29	Set 0 to not wait.
		30	'';
		31	};
		32	};
		33	});
		34	};
		35	};
		36
		37	config.systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
		38	"${name}Watcher" {
		39	description = "${name} reloader";
		40	after = [ "network.target" ];
		41	script = let
		42	action = if icfg.restart then "restart" else "reload";
		43	in ''
		44	# Service may be stopped during file modification (e.g. activationScripts)
		45	if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then
		46	${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime}
		47	${pkgs.systemd}/bin/systemctl ${action} ${name}.service
		48	fi
		49	'';
		50	serviceConfig = {
		51	Type = "oneshot";
		52	};
		53	}
		54	) cfg;
		55	config.systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
		56	"${name}Watcher" {
		57	wantedBy = [ "multi-user.target" ];
		58	pathConfig.PathChanged = icfg.paths;
		59	}
		60	) cfg;
		61	}


diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index fa6a6f2..d023a83 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix
@@ -37,6 +37,10 @@ in
37	extraGroups = [ "keys" ];	37	extraGroups = [ "keys" ];
38	};	38	};
39		39
		40	services.websites.tools.watchPaths = lib.attrsets.mapAttrsToList
		41	(k: project: "/var/secrets/buildbot/${project.name}/webhook-httpd-include")
		42	myconfig.env.buildbot.projects;
		43
40	services.websites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''	44	services.websites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
41	RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"	45	RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"
42	RewriteEngine On	46	RewriteEngine On
@@ -106,6 +110,14 @@ in
106	}	110	}
107	];	111	];
108		112
		113	services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
		114	restart = true;
		115	paths = [
		116	"/var/secrets/buildbot/ldap"
		117	"/var/secrets/buildbot/ssh_key"
		118	] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
		119	}) myconfig.env.buildbot.projects;
		120
109	systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {	121	systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
110	description = "Buildbot Continuous Integration Server ${project.name}.";	122	description = "Buildbot Continuous Integration Server ${project.name}.";
111	after = [ "network-online.target" ];	123	after = [ "network-online.target" ];


diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index e048d56..f09113a 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix
@@ -144,6 +144,11 @@ in
144	'';	144	'';
145	};	145	};
146		146
		147	services.filesWatcher.openldap = {
		148	restart = true;
		149	paths = [ "${config.secrets.location}/ldap/" ];
		150	};
		151
147	services.openldap = {	152	services.openldap = {
148	enable = true;	153	enable = true;
149	dataDir = cfg.dataDir;	154	dataDir = cfg.dataDir;


diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index ada5f41..59cae59 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix
@@ -72,6 +72,11 @@ in
72	'';	72	'';
73	}];	73	}];
74		74
		75	services.filesWatcher.pure-ftpd = {
		76	restart = true;
		77	paths = [ "/var/secrets/pure-ftpd-ldap" ];
		78	};
		79
75	systemd.services.pure-ftpd = let	80	systemd.services.pure-ftpd = let
76	configFile = pkgs.writeText "pure-ftpd.conf" ''	81	configFile = pkgs.writeText "pure-ftpd.conf" ''
77	PassivePortRange 40000 50000	82	PassivePortRange 40000 50000


diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix index 9903bdf..17454d7 100644 --- a/modules/private/mpd.nix +++ b/modules/private/mpd.nix
@@ -20,6 +20,11 @@
20	networking.firewall.allowedTCPPorts = [ 6600 ];	20	networking.firewall.allowedTCPPorts = [ 6600 ];
21	users.users.mpd.extraGroups = [ "wwwrun" "keys" ];	21	users.users.mpd.extraGroups = [ "wwwrun" "keys" ];
22	systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd";	22	systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd";
		23	services.filesWatcher.mpd = {
		24	restart = true;
		25	paths = [ "/var/secrets/mpd-config" ];
		26	};
		27
23	services.mpd = {	28	services.mpd = {
24	enable = true;	29	enable = true;
25	network.listenAddress = "any";	30	network.listenAddress = "any";


diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 30f49ee..83a1b61 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix
@@ -101,6 +101,7 @@ in {
101	SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"	101	SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
102	'';	102	'';
103	}];	103	}];
		104	services.websites.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ];
104	services.websites.tools.modules = [ "proxy_fcgi" "sed" ];	105	services.websites.tools.modules = [ "proxy_fcgi" "sed" ];
105	services.websites.tools.vhostConfs.task = {	106	services.websites.tools.vhostConfs.task = {
106	certName = "eldiron";	107	certName = "eldiron";


diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix index 748e388..384b324 100644 --- a/modules/private/websites/aten/integration.nix +++ b/modules/private/websites/aten/integration.nix
@@ -27,6 +27,9 @@ in {
27	root = aten.apache.root;	27	root = aten.apache.root;
28	extraConfig = [ aten.apache.vhostConf ];	28	extraConfig = [ aten.apache.vhostConf ];
29	};	29	};
		30	services.websites.integration.watchPaths = [
		31	"/var/secrets/webapps/${aten.app.environment}-aten"
		32	];
30	};	33	};
31	}	34	}
32		35


diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix index 7a4adb5..1a55e8a 100644 --- a/modules/private/websites/aten/production.nix +++ b/modules/private/websites/aten/production.nix
@@ -29,6 +29,8 @@ in {
29	root = aten.apache.root;	29	root = aten.apache.root;
30	extraConfig = [ aten.apache.vhostConf ];	30	extraConfig = [ aten.apache.vhostConf ];
31	};	31	};
		32	services.websites.production.watchPaths = [
		33	"/var/secrets/webapps/${aten.app.environment}-aten"
		34	];
32	};	35	};
33	}	36	}
34


diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix index c42a428..25ec4db 100644 --- a/modules/private/websites/chloe/integration.nix +++ b/modules/private/websites/chloe/integration.nix
@@ -32,5 +32,8 @@ in {
32	root = chloe.apache.root;	32	root = chloe.apache.root;
33	extraConfig = [ chloe.apache.vhostConf ];	33	extraConfig = [ chloe.apache.vhostConf ];
34	};	34	};
		35	services.websites.integration.watchPaths = [
		36	"/var/secrets/webapps/${chloe.app.environment}-chloe"
		37	];
35	};	38	};
36	}	39	}


diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix index 0bf2d8f..6e0c34d 100644 --- a/modules/private/websites/chloe/production.nix +++ b/modules/private/websites/chloe/production.nix
@@ -34,5 +34,8 @@ in {
34	root = chloe.apache.root;	34	root = chloe.apache.root;
35	extraConfig = [ chloe.apache.vhostConf ];	35	extraConfig = [ chloe.apache.vhostConf ];
36	};	36	};
		37	services.websites.production.watchPaths = [
		38	"/var/secrets/webapps/${chloe.app.environment}-chloe"
		39	];
37	};	40	};
38	}	41	}


diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix index 1d8488a..7d77ac7 100644 --- a/modules/private/websites/connexionswing/integration.nix +++ b/modules/private/websites/connexionswing/integration.nix
@@ -31,6 +31,10 @@ in {
31	root = connexionswing.apache.root;	31	root = connexionswing.apache.root;
32	extraConfig = [ connexionswing.apache.vhostConf ];	32	extraConfig = [ connexionswing.apache.vhostConf ];
33	};	33	};
		34	services.filesWatcher.phpfpm-connexionswing_dev = {
		35	restart = true;
		36	paths = [ "/var/secrets/webapps/${connexionswing.app.environment}-connexionswing" ];
		37	};
34	};	38	};
35	}	39	}
36		40


diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index 555f129..f4cb377 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix
@@ -33,6 +33,10 @@ in {
33	root = connexionswing.apache.root;	33	root = connexionswing.apache.root;
34	extraConfig = [ connexionswing.apache.vhostConf ];	34	extraConfig = [ connexionswing.apache.vhostConf ];
35	};	35	};
		36	services.filesWatcher.phpfpm-connexionswing_prod = {
		37	restart = true;
		38	paths = [ "/var/secrets/webapps/${connexionswing.app.environment}-connexionswing" ];
		39	};
36	};	40	};
37	}	41	}
38		42


diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index 8b02977..c3d941c 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix
@@ -138,6 +138,10 @@ in
138	'';	138	'';
139	};	139	};
140		140
		141	services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ];
		142	services.filesWatcher.httpdInte.paths = [ "/var/secrets/apache-ldap" ];
		143	services.filesWatcher.httpdTools.paths = [ "/var/secrets/apache-ldap" ];
		144
141	services.websites.production = {	145	services.websites.production = {
142	enable = true;	146	enable = true;
143	adminAddr = "httpd@immae.eu";	147	adminAddr = "httpd@immae.eu";


diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix index 3a6d152..55fb3cb 100644 --- a/modules/private/websites/florian/app.nix +++ b/modules/private/websites/florian/app.nix
@@ -32,5 +32,9 @@ in {
32	adminer.apache.vhostConf	32	adminer.apache.vhostConf
33	];	33	];
34	};	34	};
		35	services.filesWatcher.phpfpm-tellesflorian_dev = {
		36	restart = true;
		37	paths = [ "/var/secrets/webapps/${tellesflorian.app.environment}-tellesflorian" ];
		38	};
35	};	39	};
36	}	40	}


diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix index ed0dc9f..f0ef3a6 100644 --- a/modules/private/websites/ludivinecassal/integration.nix +++ b/modules/private/websites/ludivinecassal/integration.nix
@@ -28,5 +28,9 @@ in {
28	root = ludivinecassal.apache.root;	28	root = ludivinecassal.apache.root;
29	extraConfig = [ ludivinecassal.apache.vhostConf ];	29	extraConfig = [ ludivinecassal.apache.vhostConf ];
30	};	30	};
		31	services.filesWatcher.phpfpm-ludivinecassal_dev = {
		32	restart = true;
		33	paths = [ "/var/secrets/webapps/${ludivinecassal.app.environment}-ludivinecassal" ];
		34	};
31	};	35	};
32	}	36	}


diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix index 3df5613..6a22d98 100644 --- a/modules/private/websites/ludivinecassal/production.nix +++ b/modules/private/websites/ludivinecassal/production.nix
@@ -29,5 +29,9 @@ in {
29	root = ludivinecassal.apache.root;	29	root = ludivinecassal.apache.root;
30	extraConfig = [ ludivinecassal.apache.vhostConf ];	30	extraConfig = [ ludivinecassal.apache.vhostConf ];
31	};	31	};
		32	services.filesWatcher.phpfpm-ludivinecassal_prod = {
		33	restart = true;
		34	paths = [ "/var/secrets/webapps/${ludivinecassal.app.environment}-ludivinecassal" ];
		35	};
32	};	36	};
33	}	37	}


diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix index efa1fab..6742a81 100644 --- a/modules/private/websites/tools/diaspora/default.nix +++ b/modules/private/websites/tools/diaspora/default.nix
@@ -145,6 +145,11 @@ in {
145	configDir = "/var/secrets/webapps/diaspora";	145	configDir = "/var/secrets/webapps/diaspora";
146	};	146	};
147		147
		148	services.filesWatcher.diaspora = {
		149	restart = true;
		150	paths = [ dcfg.configDir ];
		151	};
		152
148	services.websites.tools.modules = [	153	services.websites.tools.modules = [
149	"headers" "proxy" "proxy_http"	154	"headers" "proxy" "proxy_http"
150	];	155	];


diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix index ebcbf61..3e68d54 100644 --- a/modules/private/websites/tools/ether/default.nix +++ b/modules/private/websites/tools/ether/default.nix
@@ -133,6 +133,11 @@ in {
133		133
134	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";	134	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
135		135
		136	services.filesWatcher.etherpad-lite = {
		137	restart = true;
		138	paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
		139	};
		140
136	services.websites.tools.modules = [	141	services.websites.tools.modules = [
137	"headers" "proxy" "proxy_http" "proxy_wstunnel"	142	"headers" "proxy" "proxy_http" "proxy_wstunnel"
138	];	143	];


diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix index d742a33..1a4b387 100644 --- a/modules/private/websites/tools/mastodon/default.nix +++ b/modules/private/websites/tools/mastodon/default.nix
@@ -63,6 +63,19 @@ in {
63	socketsPrefix = "live_immae";	63	socketsPrefix = "live_immae";
64	dataDir = "/var/lib/mastodon_immae";	64	dataDir = "/var/lib/mastodon_immae";
65	};	65	};
		66	services.filesWatcher.mastodon-streaming = {
		67	restart = true;
		68	paths = [ mcfg.configFile ];
		69	};
		70	services.filesWatcher.mastodon-web = {
		71	restart = true;
		72	paths = [ mcfg.configFile ];
		73	};
		74	services.filesWatcher.mastodon-sidekiq = {
		75	restart = true;
		76	paths = [ mcfg.configFile ];
		77	};
		78
66		79
67	services.websites.tools.modules = [	80	services.websites.tools.modules = [
68	"headers" "proxy" "proxy_wstunnel" "proxy_http"	81	"headers" "proxy" "proxy_wstunnel" "proxy_http"


diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix index 5da81f6..1d398db 100644 --- a/modules/private/websites/tools/mgoblin/default.nix +++ b/modules/private/websites/tools/mgoblin/default.nix
@@ -78,6 +78,14 @@ in {
78	plugins = builtins.attrValues pkgs.webapps.mediagoblin-plugins;	78	plugins = builtins.attrValues pkgs.webapps.mediagoblin-plugins;
79	configFile = "/var/secrets/webapps/tools-mediagoblin";	79	configFile = "/var/secrets/webapps/tools-mediagoblin";
80	};	80	};
		81	services.filesWatcher.mediagoblin-web = {
		82	restart = true;
		83	paths = [ mcfg.configFile ];
		84	};
		85	services.filesWatcher.mediagoblin-celeryd = {
		86	restart = true;
		87	paths = [ mcfg.configFile ];
		88	};
81		89
82	services.websites.tools.modules = [	90	services.websites.tools.modules = [
83	"proxy" "proxy_http"	91	"proxy" "proxy_http"


diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix index dee1b81..dd28530 100644 --- a/modules/private/websites/tools/peertube/default.nix +++ b/modules/private/websites/tools/peertube/default.nix
@@ -153,6 +153,11 @@ in {
153	services.websites.tools.modules = [	153	services.websites.tools.modules = [
154	"headers" "proxy" "proxy_http" "proxy_wstunnel"	154	"headers" "proxy" "proxy_http" "proxy_wstunnel"
155	];	155	];
		156	services.filesWatcher.peertube = {
		157	restart = true;
		158	paths = [ pcfg.configFile ];
		159	};
		160
156	services.websites.tools.vhostConfs.peertube = {	161	services.websites.tools.vhostConfs.peertube = {
157	certName = "eldiron";	162	certName = "eldiron";
158	addToCerts = true;	163	addToCerts = true;


diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index 94a2be1..d75def4 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix
@@ -212,6 +212,11 @@ in {
212	};	212	};
213	};	213	};
214		214
		215	services.filesWatcher.ympd = {
		216	restart = true;
		217	paths = [ "/var/secrets/mpd" ];
		218	};
		219
215	services.phpfpm.pools.roundcubemail = {	220	services.phpfpm.pools.roundcubemail = {
216	listen = roundcubemail.phpFpm.socket;	221	listen = roundcubemail.phpFpm.socket;
217	extraConfig = roundcubemail.phpFpm.pool;	222	extraConfig = roundcubemail.phpFpm.pool;
@@ -297,6 +302,13 @@ in {
297	"${kanboard.apache.webappName}" = kanboard.webRoot;	302	"${kanboard.apache.webappName}" = kanboard.webRoot;
298	};	303	};
299		304
		305	services.websites.tools.watchPaths = [
		306	"/var/secrets/webapps/tools-wallabag"
		307	];
		308	services.filesWatcher.phpfpm-wallabag = {
		309	restart = true;
		310	paths = [ "/var/secrets/webapps/tools-wallabag" ];
		311	};
300	};	312	};
301	}	313	}
302		314


diff --git a/modules/secrets.nix b/modules/secrets.nix index b282e56..808b15c 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix
@@ -39,11 +39,15 @@
39	if [ -f /run/keys/secrets.tar ]; then	39	if [ -f /run/keys/secrets.tar ]; then
40	if [ ! -f ${location}/currentSecrets ] \|\| ! sha512sum -c --status "${location}/currentSecrets"; then	40	if [ ! -f ${location}/currentSecrets ] \|\| ! sha512sum -c --status "${location}/currentSecrets"; then
41	echo "rebuilding secrets"	41	echo "rebuilding secrets"
42	rm -rf ${location}	42	TMP=$(${pkgs.coreutils}/bin/mktemp -d)
43	install -m0750 -o root -g keys -d ${location}	43	if [ -n "$TMP" ]; then
44	${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar	44	install -m0750 -o root -g keys -d $TMP
45	sha512sum /run/keys/secrets.tar > ${location}/currentSecrets	45	${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar
46	find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;	46	sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
		47	find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
		48	${pkgs.rsync}/bin/rsync -O -c -av --delete $TMP/ ${location}
		49	rm -rf $TMP
		50	fi
47	fi	51	fi
48	fi	52	fi
49	'';	53	'';


diff --git a/modules/websites/default.nix b/modules/websites/default.nix index e57f505..4b21efb 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix
@@ -91,6 +91,13 @@ in
91	};	91	};
92	});	92	});
93	};	93	};
		94	watchPaths = mkOption {
		95	type = listOf string;
		96	default = [];
		97	description = ''
		98	Paths to watch that should trigger a reload of httpd
		99	'';
		100	};
94	};	101	};
95	});	102	});
96	};	103	};
@@ -159,6 +166,13 @@ in
159	})	166	})
160	) cfg;	167	) cfg;
161		168
		169	config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
		170	"httpd${icfg.httpdName}" {
		171	paths = icfg.watchPaths;
		172	waitTime = 5;
		173	}
		174	) cfg;
		175
162	config.security.acme.certs = let	176	config.security.acme.certs = let
163	typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;	177	typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
164	flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:	178	flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: