vars: add restartUnits option

For secrets not part of the nix store there is no other way in NixOS to restart a service after the secret is updated. One example is changing password in userborn, which doesn't run as a activation script but as a systemd service.
2025-05-28 16:17:51 +02:00
parent 2efb4994a6
commit 7314f6b2ff
5 changed files with 20 additions and 1 deletions
--- a/clanModules/root-password/roles/default.nix
+++ b/clanModules/root-password/roles/default.nix
@@ -1,6 +1,7 @@
 {
  pkgs,
  config,
+  lib,
  ...
 }:
 {
@@ -12,6 +13,7 @@
    files.password-hash = {
      neededFor = "users";
    };
+    files.password-hash.restartUnits = lib.optional (config.services.userborn.enable) "userborn.service";
    files.password = {
      deploy = false;
    };
--- a/clanModules/user-password/roles/default.nix
+++ b/clanModules/user-password/roles/default.nix
@@ -31,6 +31,7 @@ in

    clan.core.vars.generators.user-password = {
      files.user-password-hash.neededFor = "users";
+      files.user-password-hash.restartUnits = lib.optional (config.services.userborn.enable) "userborn.service";

      prompts.user-password.type = "hidden";
      prompts.user-password.persist = true;
--- a/nixosModules/clanCore/vars/interface.nix
+++ b/nixosModules/clanCore/vars/interface.nix
@@ -298,6 +298,16 @@ in
                      description = "The unix file mode of the file. Must be a 4-digit octal number.";
                      default = "0400";
                    };
+                    restartUnits = lib.mkOption {
+                      description = ''
+                        A list of systemd units that should be restarted after the file is deployed.
+                        This is useful for services that need to reload their configuration after the file is updated.
+
+                        WARNING: currently only sops-nix implements this option.
+                      '';
+                      type = listOf str;
+                      default = [ ];
+                    };
                    value =
                      lib.mkOption {
                        description = ''
--- a/nixosModules/clanCore/vars/secret/sops/default.nix
+++ b/nixosModules/clanCore/vars/secret/sops/default.nix
@@ -48,6 +48,7 @@ in
            group
            mode
            neededForUsers
+            restartUnits
            ;
          sopsFile = builtins.path {
            name = "${secret.generator}_${secret.name}";
--- a/nixosModules/clanCore/vars/secret/sops/funcs.nix
+++ b/nixosModules/clanCore/vars/secret/sops/funcs.nix
@@ -28,7 +28,12 @@ in
            generator = gen_name;
            neededForUsers = file.neededFor == "users";
            inherit (generator) share;
-            inherit (file) owner group mode;
+            inherit (file)
+              owner
+              group
+              mode
+              restartUnits
+              ;
          }) (relevantFiles generator)
        ) generators
      );