-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add age.secrets.*.{action,service} #87
base: main
Are you sure you want to change the base?
Conversation
I believe this is false because of #89.
As far as I can tell, it would be the old action, since the path condition fires before the units get reloaded. |
@winterqt thank you! After looking at your comment and thinking about it for a bit, I've completely reworked this PR. It now hijacks NixOS's mechanism for restarting services. If you specify a service, this is simple. it just adds the information about the secret to the service file so that if any of it changes, the service gets reloaded. If you specify an action, it creates a dummy service that just executes that action, and similarly causes it to be reloaded when the secret changes. A few design decisions I'm not sure about:
|
This is really nicely done, congrats. Do you mind if I PR additions to the tests to account for this functionality to your branch, so this all lands in one PR? |
Not at all, go for it. |
Well, I thought of yet another rewrite. Advantages of this one include:
We could just add something like this to the activation script for each secret:
This isn't working on my machine though, because the file at |
@ryantm The changes to the integration test to include this functionality changes some reformatting using Would you prefer that I split the fixes and formatting changes from the additions, or don't format at all, or are you fine with all of this (implementation, fixing the existing test, and testing of this functionality) being in one commit? |
Oh, and another advantage of that last rewrite is that it would perform the action the first time the secret is created / the action was added, not just when it gets changed. The disadvantage, of course, is that I still don't know how to get it to work at all. |
Maybe a bunch of things just changed because I don't see any changes to the integration tests now? Generally, I'd prefer to keep formatting changes in a separate PR, so the individual ones are easier to review. |
I don't think @winterqt committed the integration test yet. |
Oh, and for that you should @winterqt you should know I changed it to have |
@winterqt any progress on this? I'm happy to work on the integration test but I don't want to duplicate effort in case you just forgot to push. |
@Radvendii I opened Radvendii#1 a few days ago. I assumed you would be notified, but I just noticed that GitHub doesn't enable notifications on forks for their creators by default, like they do for normal repos. |
Whoops! Also my notification settings are a bit scuffed right now, which might be why. |
Okay, this is no longer WIP. I think it's good to go |
Bump? @ryantm |
modules/age.nix
Outdated
services = mkOption { | ||
type = types.listOf types.str; | ||
default = []; | ||
description = "The systemd services that uses this secret. Will be restarted when the secret changes."; | ||
example = "[ wireguard-wg0 ]"; | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some feedback regarding this:
- What about wanting to only reload a unit instead of restarting it? There's
reloadTriggers
as well. Maybe there should be a way to make it reload instead of restart. - I'd think this option should be named
units
ordependentUnits
instead (or with above proposal maybedependentUnitsToRestart
), and the strings it should accept are of the form"wireguard-wg0.service"
, but also"my.target"
.restart/reloadTriggers
exist for all unit types, not just services. This then also matches thewantedBy
and co. NixOS options. Note that you can probably useutils.systemdUtils.unitNameType
for the type of this option then. - The example should be declared like
example = literalExpression ''[ "wireguard-wg0" ]''
(or adding the.service
suffix with the above suggestion)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm glad you weighed in. I don't have strong opinions about any of this, and the only reason I didn't do it the way you're describing is because I'm not that familiar with systemd units. Feel free to make these changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh. You don't have access to my repository.* I guess make a PR against my fork and I'll accept it? I would just make the changes myself but I don't think I understand them well enough to do it right on my first try.
*I stop using git for a week and totally forget how anything works XD
modules/age.nix
Outdated
# We execute the action on reload so that it doesn't happen at | ||
# startup. The only disadvantage is that it won't trigger the | ||
# first time the service is created. | ||
reload = action; | ||
reloadIfChanged = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it makes more sense to also trigger at startup. This service is then essentially a secret post-processing-after-loading script.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what you mean by "post-processing-after-loading script". This script doesn't do any post-processing, it just restarts the service. If I understand correctly, having it trigger at startup would mean that the dependent service (e.g. wireguard) would start up twice every time you booted, without any good reason.
Check out #84 (comment) for a potential alternative |
I've overhauled this to use h/t @EHfive |
represents an action to perform or systemd service to restart when the secret changes
Co-authored-by: Winter <78392041+winterqt@users.noreply.github.com>
Co-authored-by: Winter <78392041+winterqt@users.noreply.github.com>
compare the decrypted secrets, and make use of /run/nixos/activation-{restart,reload}-list
ping @ryantm I think this PR is in an even better state and is ready to merge again (from my end) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. This is looking pretty good overall to me. I left some comments/questions.
This is very bizzare. |
I fixed the behaviour in some edge cases (including the one we discussed), and added a bunch more tests to make sure it's behaving right in those edge cases. There are even more cases that could be added (e.g. changing more than one thing at the same time), but that becomes very big very fast. let me know if you'd like me to add those tests. |
ping @ryantm hopefully it's ready now. |
ping @ryantm |
also ping @cole-h :) |
I don't have the brainspace to test this right now, but I figured I would put it up in case other people were inspired to test before I did.
Things that need testing:
Implements #84