pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2026-05-13 16:38:45 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add support for restarting/reloading units

Browse source
This commit is contained in:
Janne Heß 2021-09-02 11:00:57 +02:00
parent e37ef9dda5
commit 9683d128bd
No known key found for this signature in database
GPG key ID: 69165158F05265DF
5 changed files with 379 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

27
modules/sops/default.nix
View file

@ -78,6 +78,15 @@ let
Hash of the sops file, useful in <xref linkend="opt-systemd.services._name_.restartTriggers" />.
'';
};
restartUnits = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "sshd.service" ];
description = ''
Names of units that should be restarted when this secret changes.
This works the same way as <xref linkend="opt-systemd.services._name_.restartTriggers" />.
'';
};
};
});
manifest = pkgs.writeText "manifest.json" (builtins.toJSON {
@ -89,6 +98,10 @@ let
sshKeyPaths = cfg.gnupg.sshKeyPaths;
ageKeyFile = cfg.age.keyFile;
ageSshKeyPaths = cfg.age.sshKeyPaths;
logging = {
keyImport = builtins.elem "keyImport" cfg.log;
secretChanges = builtins.elem "secretChanges" cfg.log;
};
});
checkedManifest = let
@ -133,6 +146,12 @@ in {
'';
};
log = mkOption {
type = types.listOf (types.enum [ "keyImport" "secretChanges" ]);
default = [ "keyImport" "secretChanges" ];
description = "What to log";
};
age = {
keyFile = mkOption {
type = types.nullOr types.path;
@ -209,10 +228,12 @@ in {
system.activationScripts.setup-secrets = let
sops-install-secrets = (pkgs.callPackage ../.. {}).sops-install-secrets;
in stringAfter ([ "specialfs" "users" "groups" ] ++ optional cfg.age.generateKey "generate-age-key") ''
echo setting up secrets...
in (stringAfter ([ "specialfs" "users" "groups" ] ++ optional cfg.age.generateKey "generate-age-key") ''
[ -e /run/current-system ] || echo setting up secrets...
${optionalString (cfg.gnupg.home != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${checkedManifest}
'';
'') // lib.optionalAttrs (config.system ? dryActivationScript) {
supportsDryActivation = true;
};
system.activationScripts.generate-age-key = (mkIf cfg.age.generateKey) (stringAfter [] ''
if [[ ! -f '${cfg.age.keyFile}' ]]; then