feat(sops): trigger service restarts on secret rotation

Wire up restartUnits on secrets whose consumers cache them in memory (daemons read at startup), so sops-nix restarts the affected unit on activation when the decrypted content changes: - firefly: app_key → phpfpm-firefly-iii; auto_import_secret + access_token → phpfpm-firefly-iii-data-importer - searx: secret_key → uwsgi - opencode: web password → opencode-serve - mail: sasl_passwd → postfix - forgejo: gitea_dbpass → forgejo; runner-token → gitea-runner-default Secrets read on demand by oneshots/timers (firefly sparda_pin, ntfy token, restic backup creds, acme dns creds, wg conf) are left as-is.
2026-05-03 15:23:40 +02:00 · 2026-05-03 15:23:40 +02:00 · 01f42c0851
commit 01f42c0851
parent 59480cdc79
5 changed files with 11 additions and 1 deletions
--- a/systems/x86_64-linux/mx/forgejo.nix
+++ b/systems/x86_64-linux/mx/forgejo.nix
@ -7,6 +7,7 @@
  sops.secrets."postgres/gitea_dbpass" = {
    sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file
    owner = config.services.forgejo.user;
+    restartUnits = [ "forgejo.service" ];
  };

  services.forgejo = {
@ -40,6 +41,7 @@

  sops.secrets."forgejo-runner-token" = {
    sopsFile = ../../../.secrets/hetzner/forgejo-runner-token.yaml; # bring your own password file
+    restartUnits = [ "gitea-runner-default.service" ];
  };

  services.gitea-actions-runner = {