opnix icon indicating copy to clipboard operation
opnix copied to clipboard
verified publisher icon brizzbuzz

Add automatic secret polling for systemd integration

Open brizzbuzz opened this issue 2 months ago • 0 comments

Current Behavior

The systemd integration feature (PR #27) works perfectly for restarting services when secrets change, but currently requires manual triggering of the opnix CLI command to fetch updated secrets from 1Password.

What works:

  • ✅ systemd integration detects secret file changes and restarts configured services
  • ✅ Path watcher monitors /var/lib/opnix/secrets for modifications
  • ✅ When opnix CLI runs, it fetches new secrets and triggers service restarts automatically

What's missing:

  • ❌ No automatic polling of 1Password for secret changes
  • ❌ Requires manual opnix secret execution to check for updates

Proposed Enhancement

Add configurable automatic polling to check 1Password for secret updates at regular intervals.

Implementation Options:

  1. systemd timer: Add optional timer unit to periodically run opnix secret checks
  2. Polling interval config: Allow users to configure check frequency (e.g., hourly, daily)
  3. Smart polling: Only poll when services are running to avoid unnecessary API calls

Configuration Example:

systemdIntegration = {
  enable = true;
  services = ["caddy" "grafana"];
  restartOnChange = true;
  polling = {
    enable = true;
    interval = "1h";  # Check every hour
    onlyWhenServicesActive = true;  # Skip if services are stopped
  };
};

Benefits:

  • Truly automated secret rotation
  • Configurable to balance security, API usage, and freshness
  • Maintains current manual trigger capability
  • Respects 1Password API rate limits

This enhancement would make the systemd integration feature complete for hands-off secret management in production environments.

Additional Considerations

Security & Performance:

  • Default to conservative polling intervals (e.g., 6h or daily)
  • Consider exponential backoff for API errors
  • Log polling activity for debugging
  • Allow disabling polling entirely for manual-only workflows

Integration:

  • Should work seamlessly with existing systemd integration
  • Path watcher should remain as primary change detection mechanism
  • Timer should be optional and disabled by default initially

brizzbuzz avatar Oct 19 '25 17:10 brizzbuzz