From 17f6eae9907a122d4472da727ae8b1ac1c40c027 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sat, 1 Jun 2019 00:01:46 +0200
Subject: Add a filesWatcher service to restart them when secrets change

---
 modules/secrets.nix | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

(limited to 'modules/secrets.nix')

diff --git a/modules/secrets.nix b/modules/secrets.nix
index b282e56..808b15c 100644
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -39,11 +39,15 @@
         if [ -f /run/keys/secrets.tar ]; then
           if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
             echo "rebuilding secrets"
-            rm -rf ${location}
-            install -m0750 -o root -g keys -d ${location}
-            ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
-            sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
-            find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+            TMP=$(${pkgs.coreutils}/bin/mktemp -d)
+            if [ -n "$TMP" ]; then
+              install -m0750 -o root -g keys -d $TMP
+              ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar
+              sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
+              find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+              ${pkgs.rsync}/bin/rsync -O -c -av --delete $TMP/ ${location}
+              rm -rf $TMP
+            fi
           fi
         fi
         '';
-- 
cgit v1.2.3