From 01f42c085142b3a9c7de7303083e9ee8a962df9b Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Sun, 3 May 2026 15:23:40 +0200 Subject: [PATCH] feat(sops): trigger service restarts on secret rotation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wire up restartUnits on secrets whose consumers cache them in memory (daemons read at startup), so sops-nix restarts the affected unit on activation when the decrypted content changes: - firefly: app_key → phpfpm-firefly-iii; auto_import_secret + access_token → phpfpm-firefly-iii-data-importer - searx: secret_key → uwsgi - opencode: web password → opencode-serve - mail: sasl_passwd → postfix - forgejo: gitea_dbpass → forgejo; runner-token → gitea-runner-default Secrets read on demand by oneshots/timers (firefly sparda_pin, ntfy token, restic backup creds, acme dns creds, wg conf) are left as-is. --- systems/x86_64-linux/mx/forgejo.nix | 2 ++ systems/x86_64-linux/sgx/firefly.nix | 3 +++ systems/x86_64-linux/sgx/mail.nix | 1 + systems/x86_64-linux/sgx/opencode.nix | 1 + systems/x86_64-linux/sgx/searx.nix | 5 ++++- 5 files changed, 11 insertions(+), 1 deletion(-) diff --git a/systems/x86_64-linux/mx/forgejo.nix b/systems/x86_64-linux/mx/forgejo.nix index 4847b0a..6ae4644 100644 --- a/systems/x86_64-linux/mx/forgejo.nix +++ b/systems/x86_64-linux/mx/forgejo.nix @@ -7,6 +7,7 @@ sops.secrets."postgres/gitea_dbpass" = { sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file owner = config.services.forgejo.user; + restartUnits = [ "forgejo.service" ]; }; services.forgejo = { @@ -40,6 +41,7 @@ sops.secrets."forgejo-runner-token" = { sopsFile = ../../../.secrets/hetzner/forgejo-runner-token.yaml; # bring your own password file + restartUnits = [ "gitea-runner-default.service" ]; }; services.gitea-actions-runner = { diff --git a/systems/x86_64-linux/sgx/firefly.nix b/systems/x86_64-linux/sgx/firefly.nix index 94ad43b..2aa9c76 100644 --- a/systems/x86_64-linux/sgx/firefly.nix +++ b/systems/x86_64-linux/sgx/firefly.nix @@ -31,6 +31,7 @@ in "firefly/app_key" = { sopsFile = ../../../.secrets/sgx/firefly.yaml; owner = "firefly-iii"; + restartUnits = [ "phpfpm-firefly-iii.service" ]; }; "firefly/sparda_pin" = { sopsFile = ../../../.secrets/sgx/firefly.yaml; @@ -39,10 +40,12 @@ in "firefly/auto_import_secret" = { sopsFile = ../../../.secrets/sgx/firefly.yaml; owner = "firefly-iii-data-importer"; + restartUnits = [ "phpfpm-firefly-iii-data-importer.service" ]; }; "firefly/access_token" = { sopsFile = ../../../.secrets/sgx/firefly.yaml; owner = "firefly-iii-data-importer"; + restartUnits = [ "phpfpm-firefly-iii-data-importer.service" ]; }; }; diff --git a/systems/x86_64-linux/sgx/mail.nix b/systems/x86_64-linux/sgx/mail.nix index 289bac2..ff341a2 100644 --- a/systems/x86_64-linux/sgx/mail.nix +++ b/systems/x86_64-linux/sgx/mail.nix @@ -21,6 +21,7 @@ sops.secrets.sasl_passwd = { sopsFile = ../../../.secrets/sgx/relay.yaml; # bring your own password file owner = config.services.postfix.user; + restartUnits = [ "postfix.service" ]; }; } diff --git a/systems/x86_64-linux/sgx/opencode.nix b/systems/x86_64-linux/sgx/opencode.nix index 10b2913..9ea0017 100644 --- a/systems/x86_64-linux/sgx/opencode.nix +++ b/systems/x86_64-linux/sgx/opencode.nix @@ -42,5 +42,6 @@ in sops.secrets.opencode-web-password = { sopsFile = ../../../.secrets/sgx/opencode-web.yaml; owner = user; + restartUnits = [ "opencode-serve.service" ]; }; } diff --git a/systems/x86_64-linux/sgx/searx.nix b/systems/x86_64-linux/sgx/searx.nix index 4f7f702..88690b5 100644 --- a/systems/x86_64-linux/sgx/searx.nix +++ b/systems/x86_64-linux/sgx/searx.nix @@ -1,6 +1,9 @@ { pkgs, config, ... }: { - sops.secrets."searx/secret_key".sopsFile = ../../../.secrets/sgx/searx.yaml; + sops.secrets."searx/secret_key" = { + sopsFile = ../../../.secrets/sgx/searx.yaml; + restartUnits = [ "uwsgi.service" ]; + }; services.searx = { enable = true;