ecoppens/colmena
1
0
Fork 0
forked from DGNum/colmena
Code Pull requests Activity

Merge pull request #119 from cprussin/main

Browse source 
Use nixops implementation of key services
This commit is contained in:
Zhaofeng Li 2023-01-27 15:23:42 -07:00 committed by GitHub
commit 3d1cdbacd0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
integration-tests/apply/test-script.py
View file

@ -68,11 +68,14 @@ with subtest("Check that key files have correct permissions"):
for path, permission in permissions.items(): for path, permission in permissions.items():
node.succeed(f"if [[ \"{permission}\" != \"$(stat -c '%a %U %G' '{path}')\" ]]; then ls -lah '{path}'; exit 1; fi") node.succeed(f"if [[ \"{permission}\" != \"$(stat -c '%a %U %G' '{path}')\" ]]; then ls -lah '{path}'; exit 1; fi")
with subtest("Check that the key service is started for post-activation keys"):
alpha.wait_for_unit("post-activation-key.service")
with subtest("Check that key services respond to key file changes"): with subtest("Check that key services respond to key file changes"):
alpha.require_unit_state("key-text-key.service", "active") alpha.wait_for_unit("key-text-key.service")
alpha.succeed("rm /run/keys/key-text") alpha.succeed("rm /run/keys/key-text")
alpha.wait_until_succeeds("systemctl --no-pager show key-text-key.service | grep ActiveState=inactive", timeout=10) alpha.require_unit_state("key-text-key.service", "activating")
alpha.succeed("touch /run/keys/key-text") alpha.succeed("touch /run/keys/key-text")
alpha.wait_for_unit("key-text-key.service") alpha.wait_for_unit("key-text-key.service")

27
src/nix/hive/modules.nix
View file

@ -78,19 +78,30 @@ with builtins; {
systemd.services = lib.mapAttrs' (name: val: { systemd.services = lib.mapAttrs' (name: val: {
name = "${name}-key"; name = "${name}-key";
value = { value = {
bindsTo = [ "${name}-key.path" ]; enable = true;
serviceConfig = { serviceConfig = {
Restart = "on-failure"; TimeoutStartSec = "infinity";
Restart = "always";
RestartSec = "100ms";
}; };
path = [ pkgs.inotify-tools ]; path = [ pkgs.inotify-tools ];
script = '' preStart = ''
if [[ ! -e "${val.path}" ]]; then (while read f; do if [ "$f" = "${val.name}" ]; then break; fi; done \
>&2 echo "${val.path} does not exist" < <(inotifywait -qm --format '%f' -e create,move ${val.destDir}) ) &
if [[ -e "${val.path}" ]]; then
echo 'flapped down'
kill %1
exit 0 exit 0
fi fi
wait %1
inotifywait -qq -e delete_self "${val.path}" '';
>&2 echo "${val.path} disappeared" script = ''
inotifywait -qq -e delete_self "${val.path}" &
if [[ ! -e "${val.path}" ]]; then
echo 'flapped up'
exit 0
fi
wait %1
''; '';
}; };
}) config.deployment.keys; }) config.deployment.keys;