summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-06-01 00:01:46 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-04-25 00:04:23 +0200
commit06782a203fa0ed5ab29a03c96294f138209211da (patch)
tree8b51a7307e867e3b7cf9467efe0ebd93ff3e78b3
parenta3eb56c4fc73da93d42c9298cc94aafffca0bd37 (diff)
downloadNUR-06782a203fa0ed5ab29a03c96294f138209211da.tar.gz
NUR-06782a203fa0ed5ab29a03c96294f138209211da.tar.zst
NUR-06782a203fa0ed5ab29a03c96294f138209211da.zip
Add a filesWatcher service to restart them when secrets change
-rw-r--r--modules/default.nix1
-rw-r--r--modules/filesWatcher.nix61
-rw-r--r--modules/secrets.nix14
-rw-r--r--modules/websites/default.nix14
4 files changed, 85 insertions, 5 deletions
diff --git a/modules/default.nix b/modules/default.nix
index acb0bb51..e36f1a06 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,6 +1,7 @@
1{ 1{
2 myids = ./myids.nix; 2 myids = ./myids.nix;
3 secrets = ./secrets.nix; 3 secrets = ./secrets.nix;
4 filesWatcher = ./filesWatcher.nix;
4 5
5 webstats = ./webapps/webstats; 6 webstats = ./webapps/webstats;
6 diaspora = ./webapps/diaspora.nix; 7 diaspora = ./webapps/diaspora.nix;
diff --git a/modules/filesWatcher.nix b/modules/filesWatcher.nix
new file mode 100644
index 00000000..44440271
--- /dev/null
+++ b/modules/filesWatcher.nix
@@ -0,0 +1,61 @@
1{ lib, config, pkgs, ... }:
2with lib;
3let
4 cfg = config.services.filesWatcher;
5in
6{
7 options = {
8 services.filesWatcher = with types; mkOption {
9 default = {};
10 description = ''
11 Files to watch and trigger service reload or restart of service
12 when changed.
13 '';
14 type = attrsOf (submodule {
15 options = {
16 restart = mkEnableOption "Restart service rather than reloading it";
17 paths = mkOption {
18 type = listOf str;
19 description = ''
20 Paths to watch that should trigger a reload of the
21 service
22 '';
23 };
24 waitTime = mkOption {
25 type = int;
26 default = 5;
27 description = ''
28 Time to wait before reloading/restarting the service.
29 Set 0 to not wait.
30 '';
31 };
32 };
33 });
34 };
35 };
36
37 config.systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
38 "${name}Watcher" {
39 description = "${name} reloader";
40 after = [ "network.target" ];
41 script = let
42 action = if icfg.restart then "restart" else "reload";
43 in ''
44 # Service may be stopped during file modification (e.g. activationScripts)
45 if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then
46 ${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime}
47 ${pkgs.systemd}/bin/systemctl ${action} ${name}.service
48 fi
49 '';
50 serviceConfig = {
51 Type = "oneshot";
52 };
53 }
54 ) cfg;
55 config.systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
56 "${name}Watcher" {
57 wantedBy = [ "multi-user.target" ];
58 pathConfig.PathChanged = icfg.paths;
59 }
60 ) cfg;
61}
diff --git a/modules/secrets.nix b/modules/secrets.nix
index b282e56e..808b15c5 100644
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -39,11 +39,15 @@
39 if [ -f /run/keys/secrets.tar ]; then 39 if [ -f /run/keys/secrets.tar ]; then
40 if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then 40 if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
41 echo "rebuilding secrets" 41 echo "rebuilding secrets"
42 rm -rf ${location} 42 TMP=$(${pkgs.coreutils}/bin/mktemp -d)
43 install -m0750 -o root -g keys -d ${location} 43 if [ -n "$TMP" ]; then
44 ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar 44 install -m0750 -o root -g keys -d $TMP
45 sha512sum /run/keys/secrets.tar > ${location}/currentSecrets 45 ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar
46 find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; 46 sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
47 find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
48 ${pkgs.rsync}/bin/rsync -O -c -av --delete $TMP/ ${location}
49 rm -rf $TMP
50 fi
47 fi 51 fi
48 fi 52 fi
49 ''; 53 '';
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index e57f505a..4b21efb7 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -91,6 +91,13 @@ in
91 }; 91 };
92 }); 92 });
93 }; 93 };
94 watchPaths = mkOption {
95 type = listOf string;
96 default = [];
97 description = ''
98 Paths to watch that should trigger a reload of httpd
99 '';
100 };
94 }; 101 };
95 }); 102 });
96 }; 103 };
@@ -159,6 +166,13 @@ in
159 }) 166 })
160 ) cfg; 167 ) cfg;
161 168
169 config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
170 "httpd${icfg.httpdName}" {
171 paths = icfg.watchPaths;
172 waitTime = 5;
173 }
174 ) cfg;
175
162 config.security.acme.certs = let 176 config.security.acme.certs = let
163 typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg; 177 typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
164 flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: 178 flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: