harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(sops): trigger service restarts on secret rotation

Browse source 
Wire up restartUnits on secrets whose consumers cache them in memory
(daemons read at startup), so sops-nix restarts the affected unit on
activation when the decrypted content changes:

- firefly: app_key → phpfpm-firefly-iii;
  auto_import_secret + access_token → phpfpm-firefly-iii-data-importer
- searx: secret_key → uwsgi
- opencode: web password → opencode-serve
- mail: sasl_passwd → postfix
- forgejo: gitea_dbpass → forgejo; runner-token → gitea-runner-default

Secrets read on demand by oneshots/timers (firefly sparda_pin, ntfy
token, restic backup creds, acme dns creds, wg conf) are left as-is.
This commit is contained in:
Harald Hoyer 2026-05-03 15:23:40 +02:00
parent 59480cdc79
commit 01f42c0851
5 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
systems/x86_64-linux/mx/forgejo.nix
View file

@ -7,6 +7,7 @@
sops.secrets."postgres/gitea_dbpass" = { sops.secrets."postgres/gitea_dbpass" = {
sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file
owner = config.services.forgejo.user; owner = config.services.forgejo.user;
restartUnits = [ "forgejo.service" ];
}; };
services.forgejo = { services.forgejo = {
@ -40,6 +41,7 @@
sops.secrets."forgejo-runner-token" = { sops.secrets."forgejo-runner-token" = {
sopsFile = ../../../.secrets/hetzner/forgejo-runner-token.yaml; # bring your own password file sopsFile = ../../../.secrets/hetzner/forgejo-runner-token.yaml; # bring your own password file
restartUnits = [ "gitea-runner-default.service" ];
}; };
services.gitea-actions-runner = { services.gitea-actions-runner = {

3
systems/x86_64-linux/sgx/firefly.nix
View file

@ -31,6 +31,7 @@ in
"firefly/app_key" = { "firefly/app_key" = {
sopsFile = ../../../.secrets/sgx/firefly.yaml; sopsFile = ../../../.secrets/sgx/firefly.yaml;
owner = "firefly-iii"; owner = "firefly-iii";
restartUnits = [ "phpfpm-firefly-iii.service" ];
}; };
"firefly/sparda_pin" = { "firefly/sparda_pin" = {
sopsFile = ../../../.secrets/sgx/firefly.yaml; sopsFile = ../../../.secrets/sgx/firefly.yaml;
@ -39,10 +40,12 @@ in
"firefly/auto_import_secret" = { "firefly/auto_import_secret" = {
sopsFile = ../../../.secrets/sgx/firefly.yaml; sopsFile = ../../../.secrets/sgx/firefly.yaml;
owner = "firefly-iii-data-importer"; owner = "firefly-iii-data-importer";
restartUnits = [ "phpfpm-firefly-iii-data-importer.service" ];
}; };
"firefly/access_token" = { "firefly/access_token" = {
sopsFile = ../../../.secrets/sgx/firefly.yaml; sopsFile = ../../../.secrets/sgx/firefly.yaml;
owner = "firefly-iii-data-importer"; owner = "firefly-iii-data-importer";
restartUnits = [ "phpfpm-firefly-iii-data-importer.service" ];
}; };
}; };

1
systems/x86_64-linux/sgx/mail.nix
View file

@ -21,6 +21,7 @@
sops.secrets.sasl_passwd = { sops.secrets.sasl_passwd = {
sopsFile = ../../../.secrets/sgx/relay.yaml; # bring your own password file sopsFile = ../../../.secrets/sgx/relay.yaml; # bring your own password file
owner = config.services.postfix.user; owner = config.services.postfix.user;
restartUnits = [ "postfix.service" ];
}; };
} }

1
systems/x86_64-linux/sgx/opencode.nix
View file

@ -42,5 +42,6 @@ in
sops.secrets.opencode-web-password = { sops.secrets.opencode-web-password = {
sopsFile = ../../../.secrets/sgx/opencode-web.yaml; sopsFile = ../../../.secrets/sgx/opencode-web.yaml;
owner = user; owner = user;
restartUnits = [ "opencode-serve.service" ];
}; };
} }

5
systems/x86_64-linux/sgx/searx.nix
View file

@ -1,6 +1,9 @@
{ pkgs, config, ... }: { pkgs, config, ... }:
{ {
sops.secrets."searx/secret_key".sopsFile = ../../../.secrets/sgx/searx.yaml; sops.secrets."searx/secret_key" = {
sopsFile = ../../../.secrets/sgx/searx.yaml;
restartUnits = [ "uwsgi.service" ];
};
services.searx = { services.searx = {
enable = true; enable = true;