From c69a5189925637910c1e5ceb9ce8b45992390521 Mon Sep 17 00:00:00 2001
From: Mel <einebeere@gmail.com>
Date: Sun, 29 Dec 2024 23:23:18 +0100
Subject: Reload on name secret change

Signed-off-by: Mel <einebeere@gmail.com>
---
 application/module.nix     | 20 ++++++++++++++++----
 configuration/specimen.nix |  5 ++++-
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/application/module.nix b/application/module.nix
index 3689996..f4b3e4a 100644
--- a/application/module.nix
+++ b/application/module.nix
@@ -58,13 +58,24 @@ in
       description = "open specimen port in firewall for incoming connections.";
     };
 
-    namePath = mkOption {
-      type = types.path;
-      description = "path from which specimen will get the content to reply with.";
+    nameSecret = mkOption {
+      type = types.attrs;
+      description = "secret from which specimen will take the name from.";
     };
   };
 
   config = mkIf cfg.enable {
+    assertions = with builtins; [
+      {
+        assertion = hasAttr "path" cfg.nameSecret;
+        message = "name secret needs to include path";
+      }
+      {
+        assertion = hasAttr "file" cfg.nameSecret;
+        message = "name secret needs to include store file";
+      }
+    ];
+
     networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
 
     users.users.${cfg.user} = {
@@ -79,13 +90,14 @@ in
       wantedBy = [ "multi-user.target" ];
       wants = [ "network.target" ];
       after = [ "network.target" ];
+      restartTriggers = [ cfg.nameSecret.file ];
 
       serviceConfig = {
         User = cfg.user;
         Group = cfg.user;
         Type = "exec";
         Restart = "always";
-        ExecStart = "${cfg.package}/bin/specimen -address ${cfg.listenAddress} -port ${toString cfg.port} -name ${cfg.namePath}";
+        ExecStart = "${cfg.package}/bin/specimen -address ${cfg.listenAddress} -port ${toString cfg.port} -name ${cfg.nameSecret.path}";
 
         # a gigantic amount of hardening!!
         # realistically this much wouldn't be necessary.
diff --git a/configuration/specimen.nix b/configuration/specimen.nix
index 53732b9..4620e47 100644
--- a/configuration/specimen.nix
+++ b/configuration/specimen.nix
@@ -15,6 +15,9 @@
     port = 4444;
     openFirewall = true;
 
-    namePath = config.age.secrets.name.path;
+    # we pass the entire agenix secret,
+    # so we can see both the encrypted and the
+    # decrypted path.
+    nameSecret = config.age.secrets.name;
   };
 }
-- 
cgit 1.4.1