diff options
-rw-r--r-- | modules/default.nix | 1 | ||||
-rw-r--r-- | modules/filesWatcher.nix | 61 | ||||
-rw-r--r-- | modules/secrets.nix | 14 | ||||
-rw-r--r-- | modules/websites/default.nix | 14 |
4 files changed, 85 insertions, 5 deletions
diff --git a/modules/default.nix b/modules/default.nix index acb0bb51..e36f1a06 100644 --- a/modules/default.nix +++ b/modules/default.nix | |||
@@ -1,6 +1,7 @@ | |||
1 | { | 1 | { |
2 | myids = ./myids.nix; | 2 | myids = ./myids.nix; |
3 | secrets = ./secrets.nix; | 3 | secrets = ./secrets.nix; |
4 | filesWatcher = ./filesWatcher.nix; | ||
4 | 5 | ||
5 | webstats = ./webapps/webstats; | 6 | webstats = ./webapps/webstats; |
6 | diaspora = ./webapps/diaspora.nix; | 7 | diaspora = ./webapps/diaspora.nix; |
diff --git a/modules/filesWatcher.nix b/modules/filesWatcher.nix new file mode 100644 index 00000000..44440271 --- /dev/null +++ b/modules/filesWatcher.nix | |||
@@ -0,0 +1,61 @@ | |||
1 | { lib, config, pkgs, ... }: | ||
2 | with lib; | ||
3 | let | ||
4 | cfg = config.services.filesWatcher; | ||
5 | in | ||
6 | { | ||
7 | options = { | ||
8 | services.filesWatcher = with types; mkOption { | ||
9 | default = {}; | ||
10 | description = '' | ||
11 | Files to watch and trigger service reload or restart of service | ||
12 | when changed. | ||
13 | ''; | ||
14 | type = attrsOf (submodule { | ||
15 | options = { | ||
16 | restart = mkEnableOption "Restart service rather than reloading it"; | ||
17 | paths = mkOption { | ||
18 | type = listOf str; | ||
19 | description = '' | ||
20 | Paths to watch that should trigger a reload of the | ||
21 | service | ||
22 | ''; | ||
23 | }; | ||
24 | waitTime = mkOption { | ||
25 | type = int; | ||
26 | default = 5; | ||
27 | description = '' | ||
28 | Time to wait before reloading/restarting the service. | ||
29 | Set 0 to not wait. | ||
30 | ''; | ||
31 | }; | ||
32 | }; | ||
33 | }); | ||
34 | }; | ||
35 | }; | ||
36 | |||
37 | config.systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | ||
38 | "${name}Watcher" { | ||
39 | description = "${name} reloader"; | ||
40 | after = [ "network.target" ]; | ||
41 | script = let | ||
42 | action = if icfg.restart then "restart" else "reload"; | ||
43 | in '' | ||
44 | # Service may be stopped during file modification (e.g. activationScripts) | ||
45 | if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then | ||
46 | ${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime} | ||
47 | ${pkgs.systemd}/bin/systemctl ${action} ${name}.service | ||
48 | fi | ||
49 | ''; | ||
50 | serviceConfig = { | ||
51 | Type = "oneshot"; | ||
52 | }; | ||
53 | } | ||
54 | ) cfg; | ||
55 | config.systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | ||
56 | "${name}Watcher" { | ||
57 | wantedBy = [ "multi-user.target" ]; | ||
58 | pathConfig.PathChanged = icfg.paths; | ||
59 | } | ||
60 | ) cfg; | ||
61 | } | ||
diff --git a/modules/secrets.nix b/modules/secrets.nix index b282e56e..808b15c5 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix | |||
@@ -39,11 +39,15 @@ | |||
39 | if [ -f /run/keys/secrets.tar ]; then | 39 | if [ -f /run/keys/secrets.tar ]; then |
40 | if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then | 40 | if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then |
41 | echo "rebuilding secrets" | 41 | echo "rebuilding secrets" |
42 | rm -rf ${location} | 42 | TMP=$(${pkgs.coreutils}/bin/mktemp -d) |
43 | install -m0750 -o root -g keys -d ${location} | 43 | if [ -n "$TMP" ]; then |
44 | ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar | 44 | install -m0750 -o root -g keys -d $TMP |
45 | sha512sum /run/keys/secrets.tar > ${location}/currentSecrets | 45 | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar |
46 | find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; | 46 | sha512sum /run/keys/secrets.tar > $TMP/currentSecrets |
47 | find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; | ||
48 | ${pkgs.rsync}/bin/rsync -O -c -av --delete $TMP/ ${location} | ||
49 | rm -rf $TMP | ||
50 | fi | ||
47 | fi | 51 | fi |
48 | fi | 52 | fi |
49 | ''; | 53 | ''; |
diff --git a/modules/websites/default.nix b/modules/websites/default.nix index e57f505a..4b21efb7 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix | |||
@@ -91,6 +91,13 @@ in | |||
91 | }; | 91 | }; |
92 | }); | 92 | }); |
93 | }; | 93 | }; |
94 | watchPaths = mkOption { | ||
95 | type = listOf string; | ||
96 | default = []; | ||
97 | description = '' | ||
98 | Paths to watch that should trigger a reload of httpd | ||
99 | ''; | ||
100 | }; | ||
94 | }; | 101 | }; |
95 | }); | 102 | }); |
96 | }; | 103 | }; |
@@ -159,6 +166,13 @@ in | |||
159 | }) | 166 | }) |
160 | ) cfg; | 167 | ) cfg; |
161 | 168 | ||
169 | config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | ||
170 | "httpd${icfg.httpdName}" { | ||
171 | paths = icfg.watchPaths; | ||
172 | waitTime = 5; | ||
173 | } | ||
174 | ) cfg; | ||
175 | |||
162 | config.security.acme.certs = let | 176 | config.security.acme.certs = let |
163 | typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg; | 177 | typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg; |
164 | flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: | 178 | flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: |