harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(sops): trigger service restarts on secret rotation

Browse source 
Wire up restartUnits on secrets whose consumers cache them in memory
(daemons read at startup), so sops-nix restarts the affected unit on
activation when the decrypted content changes:

- firefly: app_key → phpfpm-firefly-iii;
  auto_import_secret + access_token → phpfpm-firefly-iii-data-importer
- searx: secret_key → uwsgi
- opencode: web password → opencode-serve
- mail: sasl_passwd → postfix
- forgejo: gitea_dbpass → forgejo; runner-token → gitea-runner-default

Secrets read on demand by oneshots/timers (firefly sparda_pin, ntfy
token, restic backup creds, acme dns creds, wg conf) are left as-is.
This commit is contained in:
Harald Hoyer 2026-05-03 15:23:40 +02:00
parent 59480cdc79
commit 01f42c0851
5 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
systems/x86_64-linux/sgx/searx.nix
View file

@ -1,6 +1,9 @@
{ pkgs, config, ... }:
{
sops.secrets."searx/secret_key".sopsFile = ../../../.secrets/sgx/searx.yaml;
sops.secrets."searx/secret_key" = {
sopsFile = ../../../.secrets/sgx/searx.yaml;
restartUnits = [ "uwsgi.service" ];
};
services.searx = {
enable = true;