From 7314f6b2ffde632909816c22b10632284f9fcc13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 28 May 2025 16:17:51 +0200 Subject: [PATCH] vars: add restartUnits option For secrets not part of the nix store there is no other way in NixOS to restart a service after the secret is updated. One example is changing password in userborn, which doesn't run as a activation script but as a systemd service. --- clanModules/root-password/roles/default.nix | 2 ++ clanModules/user-password/roles/default.nix | 1 + nixosModules/clanCore/vars/interface.nix | 10 ++++++++++ nixosModules/clanCore/vars/secret/sops/default.nix | 1 + nixosModules/clanCore/vars/secret/sops/funcs.nix | 7 ++++++- 5 files changed, 20 insertions(+), 1 deletion(-) diff --git a/clanModules/root-password/roles/default.nix b/clanModules/root-password/roles/default.nix index c4a252394..8606a10db 100644 --- a/clanModules/root-password/roles/default.nix +++ b/clanModules/root-password/roles/default.nix @@ -1,6 +1,7 @@ { pkgs, config, + lib, ... }: { @@ -12,6 +13,7 @@ files.password-hash = { neededFor = "users"; }; + files.password-hash.restartUnits = lib.optional (config.services.userborn.enable) "userborn.service"; files.password = { deploy = false; }; diff --git a/clanModules/user-password/roles/default.nix b/clanModules/user-password/roles/default.nix index 9d469cc09..ace17128f 100644 --- a/clanModules/user-password/roles/default.nix +++ b/clanModules/user-password/roles/default.nix @@ -31,6 +31,7 @@ in clan.core.vars.generators.user-password = { files.user-password-hash.neededFor = "users"; + files.user-password-hash.restartUnits = lib.optional (config.services.userborn.enable) "userborn.service"; prompts.user-password.type = "hidden"; prompts.user-password.persist = true; diff --git a/nixosModules/clanCore/vars/interface.nix b/nixosModules/clanCore/vars/interface.nix index c34ada565..4e3ac3e42 100644 --- a/nixosModules/clanCore/vars/interface.nix +++ b/nixosModules/clanCore/vars/interface.nix @@ -298,6 +298,16 @@ in description = "The unix file mode of the file. Must be a 4-digit octal number."; default = "0400"; }; + restartUnits = lib.mkOption { + description = '' + A list of systemd units that should be restarted after the file is deployed. + This is useful for services that need to reload their configuration after the file is updated. + + WARNING: currently only sops-nix implements this option. + ''; + type = listOf str; + default = [ ]; + }; value = lib.mkOption { description = '' diff --git a/nixosModules/clanCore/vars/secret/sops/default.nix b/nixosModules/clanCore/vars/secret/sops/default.nix index a9228f2a0..3e23bdcaf 100644 --- a/nixosModules/clanCore/vars/secret/sops/default.nix +++ b/nixosModules/clanCore/vars/secret/sops/default.nix @@ -48,6 +48,7 @@ in group mode neededForUsers + restartUnits ; sopsFile = builtins.path { name = "${secret.generator}_${secret.name}"; diff --git a/nixosModules/clanCore/vars/secret/sops/funcs.nix b/nixosModules/clanCore/vars/secret/sops/funcs.nix index 1fb3bd15f..20b6f97e1 100644 --- a/nixosModules/clanCore/vars/secret/sops/funcs.nix +++ b/nixosModules/clanCore/vars/secret/sops/funcs.nix @@ -28,7 +28,12 @@ in generator = gen_name; neededForUsers = file.neededFor == "users"; inherit (generator) share; - inherit (file) owner group mode; + inherit (file) + owner + group + mode + restartUnits + ; }) (relevantFiles generator) ) generators );