updating `owner` and `group` does not trigger `restartUnits`

[Gowee]

Hi.

I am using colmena with sops-nix to manage my remote machines.

In my case, I forget to set an owner/group at first for a secret controlled by sops-nix. After realizing a service depending the secret file failing to start due to a permission error, I modify my config to set a proper owner. But the service did not get restarted automatically until I manually do with systemctl restart.

[Mic92]

Not so sure how this would be achieved anyway. The secret path does not change if the owner is changed. Restarting every service on every sops-nix change might be feasible but sounds excessive.

[steveej]

i'm curious for feedback on this idea:

provide a config.sops.secrets.<secret>.purePath attribute which points to a path that contains a hash of all of the secret's input config, similar to a storepath.

reference purePath in the nix expression that configures the systemd unit. IIUC this should trigger a restart.

[steveej]

here's an example that shows the basic idea described above. the example is a bit convoluted because of how zerotier works; it is a real-world example after all :smile:

systemd.services.zerotieroneSecretNetworks = {
  enable = true;
  requiredBy = ["zerotierone.service"];
  partOf = ["zerotierone.service"];

  serviceConfig.Type = "oneshot";
  serviceConfig.RemainAfterExit = true;

  script = let
    secret = config.sops.secrets.zerotieroneNetworks;
  in ''
    # include the secret's hash to trigger a restart on change
    # ${builtins.hashString "sha256" (builtins.toJSON secret)}

    ${config.systemd.services.zerotierone.preStart}

    rm -rf /var/lib/zerotier-one/networks.d/*.conf
    for network in `grep -v '#' ${secret.path}`; do
      touch /var/lib/zerotier-one/networks.d/''${network}.conf
    done
  '';
};