mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity

Add support for restartUnits and reloadUnits for templates

Browse source 
This fixes https://github.com/Mic92/sops-nix/issues/634
This commit is contained in:
Jeremy Fleischman 2024-11-07 15:26:43 -06:00 committed by mergify[bot]
parent c9f6b151cc
commit 60e1bce199
3 changed files with 64 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
modules/sops/templates/default.nix
View file

@ -65,6 +65,24 @@ in {
File used as the template. When this value is specified, `sops.templates.<name>.content` is ignored. File used as the template. When this value is specified, `sops.templates.<name>.content` is ignored.
''; '';
}; };
restartUnits = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "sshd.service" ];
description = ''
Names of units that should be restarted when the rendered template changes.
This works the same way as <xref linkend="opt-systemd.services._name_.restartTriggers" />.
'';
};
reloadUnits = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "sshd.service" ];
description = ''
Names of units that should be reloaded when the rendered template changes.
This works the same way as <xref linkend="opt-systemd.services._name_.reloadTriggers" />.
'';
};
}; };
})); }));
default = { }; default = { };

37
pkgs/sops-install-secrets/main.go
View file

@ -51,20 +51,22 @@ type loggingConfig struct {
} }
type template struct { type template struct {
Name string `json:"name"` Name string `json:"name"`
Content string `json:"content"` Content string `json:"content"`
Path string `json:"path"` Path string `json:"path"`
Mode string `json:"mode"` Mode string `json:"mode"`
Owner *string `json:"owner,omitempty"` Owner *string `json:"owner,omitempty"`
UID int `json:"uid"` UID int `json:"uid"`
Group *string `json:"group,omitempty"` Group *string `json:"group,omitempty"`
GID int `json:"gid"` GID int `json:"gid"`
File string `json:"file"` File string `json:"file"`
value []byte RestartUnits []string `json:"restartUnits"`
mode os.FileMode ReloadUnits []string `json:"reloadUnits"`
content string value []byte
owner int mode os.FileMode
group int content string
owner int
group int
} }
type manifest struct { type manifest struct {
@ -951,6 +953,8 @@ func handleModifications(isDry bool, logcfg loggingConfig, symlinkPath string, s
if err != nil { if err != nil {
if os.IsNotExist(err) { if os.IsNotExist(err) {
// File did not exist before // File did not exist before
restart = append(restart, template.RestartUnits...)
reload = append(reload, template.ReloadUnits...)
newTemplates[template.Name] = true newTemplates[template.Name] = true
continue continue
} }
@ -964,6 +968,8 @@ func handleModifications(isDry bool, logcfg loggingConfig, symlinkPath string, s
} }
if !bytes.Equal(oldData, newData) { if !bytes.Equal(oldData, newData) {
restart = append(restart, template.RestartUnits...)
reload = append(reload, template.ReloadUnits...)
modifiedTemplates[template.Name] = true modifiedTemplates[template.Name] = true
} }
} }
@ -1156,7 +1162,8 @@ func writeTemplates(targetDir string, templates map[string]*template, keysGID in
if !userMode { if !userMode {
if err := os.Chown(fp, template.owner, template.group); err != nil { if err := os.Chown(fp, template.owner, template.group); err != nil {
return fmt.Errorf("cannot change owner/group of '%s' to %d/%d: %w", fp, template.owner, template.group, err) return fmt.Errorf("cannot change owner/group of '%s' to %d/%d: %w", fp, template.owner, template.group, err)
} } }
}
} }
return nil return nil
} }

28
pkgs/sops-install-secrets/nixos-test.nix
View file

@ -344,10 +344,14 @@ in {
reloadUnits = [ "reload-trigger.service" ]; reloadUnits = [ "reload-trigger.service" ];
}; };
templates.test_template.content = '' templates.test_template = {
this is a template with content = ''
a secret: ${config.sops.placeholder.test_key} this is a template with
''; a secret: ${config.sops.placeholder.test_key}
'';
restartUnits = [ "restart-unit.service" "reload-unit.service" ];
reloadUnits = [ "reload-trigger.service" ];
};
}; };
system.switch.enable = true; system.switch.enable = true;
@ -421,6 +425,22 @@ in {
machine.succeed("test -f /restarted") machine.succeed("test -f /restarted")
machine.succeed("test -f /reloaded") machine.succeed("test -f /reloaded")
# Cleanup the marker files.
machine.succeed("rm /restarted /reloaded")
# Ensure the template is changed
machine.succeed(": > /run/secrets/rendered/test_template")
# The template is changed, now something should happen
machine.succeed("/run/current-system/bin/switch-to-configuration test")
# Ensure something happened
machine.succeed("test -f /restarted")
machine.succeed("test -f /reloaded")
# Cleanup the marker files.
machine.succeed("rm /restarted /reloaded")
with subtest("change detection"): with subtest("change detection"):
machine.succeed("rm /run/secrets/test_key") machine.succeed("rm /run/secrets/test_key")
machine.succeed("rm /run/secrets/rendered/test_template") machine.succeed("rm /run/secrets/rendered/test_template")