Skip to content

Commit

Permalink
add age.secrets.*.{action,service}
Browse files Browse the repository at this point in the history 
represents an action to perform or systemd service to restart when the
secret changes
  • Loading branch information
@Radvendii
Radvendii committed Jan 12, 2022
1 parent 08b9c96 commit 4b9a185
Showing 1 changed file with 45 additions and 0 deletions.
45 changes: 45 additions & 0 deletions modules/age.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,17 @@ let
Group of the decrypted secret.
'';
};
action = mkOption {
type = types.string;
default = "";
description = "A script to run when secret is updated.";
};
service = mkOption {
type = types.string;
default = "";
description = "The systemd service that uses this secret. Will be restarted when the secret changes.";
example = "wireguard-wg0";
};
symlink = mkEnableOption "symlinking secrets to their destination" // { default = true; };
};
});
Expand Down Expand Up @@ -201,6 +212,40 @@ in
"agenixChownKeys"
];
};

# services that watch for file changes and exectue the configured action
systemd.services = lib.mkMerge
(lib.mapAttrsToList
(name: {action, service, file, path, mode, owner, group, ...}:
let
fileHash = builtins.hashString "sha256" (builtins.readFile file);
restartTriggers = [ fileHash path mode owner group ];
in
(lib.mkIf (service != "") {
${service} = { inherit restartTriggers; };
})
(lib.mkIf (action != "") {
"agenix-${name}-action" = {
inherit restartTriggers;

# We execute the action on reload so that it doesn't happen at
# startup. The only disadvantage is that it won't trigger the
# first time the service is created.
reload = action;
reloadIfChanged = true;

serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};

script = " "; # it complains if we only set ExecReload

# Give it a reason for starting
wantedBy = [ "multi-user.target" ];
};

})]) cfg.secrets);
};

}

0 comments on commit 4b9a185

Please sign in to comment.