cluster/services/locksmith: allow waiting for keys

2024-07-10 23:01:49 +02:00 · 2024-07-10 23:01:49 +02:00 · 55741bc8f6
commit 55741bc8f6
parent d7f816ee39
1 changed files with 74 additions and 38 deletions
--- a/cluster/services/locksmith/receiver.nix
+++ b/cluster/services/locksmith/receiver.nix
@ -10,6 +10,40 @@ let
 in

 {
+  options.services.locksmith.waitForSecrets = lib.mkOption {
+    type = with lib.types; attrsOf (listOf str);
+  };
+
+  config = lib.mkMerge [
+    {
+      systemd.services = lib.mapAttrs' (name: secrets: {
+        name = "locksmith-wait-secrets-${name}";
+        value = {
+          description = "Wait for secrets: ${name}";
+          after = [ "locksmith.service" ];
+          before = [ "${name}.service" ];
+          requiredBy = [ "${name}.service" ];
+          serviceConfig = {
+            Type = "oneshot";
+            IPAddressDeny = [ "any" ];
+          };
+          path = [
+            pkgs.inotify-tools
+          ];
+          script = ''
+            for key in ${lib.escapeShellArgs secrets}; do
+              if ! test -e "$key"; then
+                echo "Waiting for secret: $key"
+                inotifywait -qq -e create,moved_to --include "$key" /run/locksmith
+              fi
+              echo "Heard secret: $key"
+            done
+            echo "All secrets known."
+          '';
+        };
+      }) config.services.locksmith.waitForSecrets;
+    }
+    {
      systemd.tmpfiles.settings.locksmith = {
        "/run/locksmith".d = {
          mode = "0711";
@ -50,4 +84,6 @@ in
          done
        '';
      };
+    }
+  ];
 }