diff options
| author | Mel <einebeere@gmail.com> | 2024-12-29 23:23:18 +0100 |
|---|---|---|
| committer | Mel <einebeere@gmail.com> | 2024-12-29 23:23:18 +0100 |
| commit | c69a5189925637910c1e5ceb9ce8b45992390521 (patch) | |
| tree | 5e1fc73c9be24c3647d016d6e73be033f4d79a24 | |
| parent | a5d23c80aee2e93436dc2ee09f3710975958d2dc (diff) | |
| download | specimen-c69a5189925637910c1e5ceb9ce8b45992390521.tar.zst specimen-c69a5189925637910c1e5ceb9ce8b45992390521.zip | |
Reload on name secret change step-3
Signed-off-by: Mel <einebeere@gmail.com>
| -rw-r--r-- | application/module.nix | 20 | ||||
| -rw-r--r-- | configuration/specimen.nix | 5 |
2 files changed, 20 insertions, 5 deletions
diff --git a/application/module.nix b/application/module.nix index 3689996..f4b3e4a 100644 --- a/application/module.nix +++ b/application/module.nix @@ -58,13 +58,24 @@ in description = "open specimen port in firewall for incoming connections."; }; - namePath = mkOption { - type = types.path; - description = "path from which specimen will get the content to reply with."; + nameSecret = mkOption { + type = types.attrs; + description = "secret from which specimen will take the name from."; }; }; config = mkIf cfg.enable { + assertions = with builtins; [ + { + assertion = hasAttr "path" cfg.nameSecret; + message = "name secret needs to include path"; + } + { + assertion = hasAttr "file" cfg.nameSecret; + message = "name secret needs to include store file"; + } + ]; + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; users.users.${cfg.user} = { @@ -79,13 +90,14 @@ in wantedBy = [ "multi-user.target" ]; wants = [ "network.target" ]; after = [ "network.target" ]; + restartTriggers = [ cfg.nameSecret.file ]; serviceConfig = { User = cfg.user; Group = cfg.user; Type = "exec"; Restart = "always"; - ExecStart = "${cfg.package}/bin/specimen -address ${cfg.listenAddress} -port ${toString cfg.port} -name ${cfg.namePath}"; + ExecStart = "${cfg.package}/bin/specimen -address ${cfg.listenAddress} -port ${toString cfg.port} -name ${cfg.nameSecret.path}"; # a gigantic amount of hardening!! # realistically this much wouldn't be necessary. diff --git a/configuration/specimen.nix b/configuration/specimen.nix index 53732b9..4620e47 100644 --- a/configuration/specimen.nix +++ b/configuration/specimen.nix @@ -15,6 +15,9 @@ port = 4444; openFirewall = true; - namePath = config.age.secrets.name.path; + # we pass the entire agenix secret, + # so we can see both the encrypted and the + # decrypted path. + nameSecret = config.age.secrets.name; }; } |