use try-reload-or-restart for vault agent

input-output-hk · Jul 20, 2021 · e9ba436 · e9ba436
1 parent 9b159b5
commit e9ba436
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 28 deletions.
diff --git a/modules/vault-agent-client.nix b/modules/vault-agent-client.nix
@@ -73,9 +73,7 @@ let
             {{ end }}{{ end }}
           '';
 
-          command = writeShellScript "update-cert" ''
-            ${pkgs.systemd}/bin/systemctl restart certs-updated.service || true
-          '';
+          command = "${pkgs.systemd}/bin/systemctl try-reload-or-restart certs-updated.service";
         };
       }
 
@@ -89,9 +87,7 @@ let
             {{ end }}{{ end }}
           '';
 
-          command = writeShellScript "update-cert" ''
-            ${pkgs.systemd}/bin/systemctl restart certs-updated.service || true
-          '';
+          command = "${pkgs.systemd}/bin/systemctl try-reload-or-restart certs-updated.service";
         };
       }
 
@@ -103,9 +99,7 @@ let
             {{ with secret ${pkiSecret} }}{{ .Data.private_key }}{{ end }}
           '';
 
-          command = writeShellScript "update-cert" ''
-            ${pkgs.systemd}/bin/systemctl restart certs-updated.service || true
-          '';
+          command = "${pkgs.systemd}/bin/systemctl try-reload-or-restart certs-updated.service";
         };
       }
 
@@ -129,7 +123,7 @@ let
             }
           '';
 
-          command = "${pkgs.systemd}/bin/systemctl reload consul";
+          command = "${pkgs.systemd}/bin/systemctl try-reload-or-restart consul";
         };
       })
 
@@ -141,7 +135,7 @@ let
             {{ with secret "consul/creds/consul-default" }}{{ .Data.token }}{{ end }}
           '';
 
-          command = "${pkgs.systemd}/bin/systemctl reload consul.service";
+          command = "${pkgs.systemd}/bin/systemctl try-reload-or-restart consul.service";
         };
       })
 
@@ -171,10 +165,7 @@ let
             {{ end }}
           '';
 
-          command = writeShellScript "restart-vault" ''
-            set -xu
-            ${pkgs.systemd}/bin/systemctl restart vault.service || true
-          '';
+          command = "${pkgs.systemd}/bin/systemctl try-reload-or-restart vault.service";
         };
       })
 
@@ -213,12 +204,10 @@ in {
         # minimum
         sleep 10
 
-        systemctl reload consul.service
-
-        # systemctl restart vault.service
+        systemctl try-reload-or-restart consul.service
 
         if curl -s -k https://127.0.0.1:4646/v1/status/leader &> /dev/null; then
-          systemctl restart nomad.service
+          systemctl try-reload-or-restart nomad.service
         else
           systemctl start nomad.service
         fi

diff --git a/modules/vault-agent-server.nix b/modules/vault-agent-server.nix
@@ -66,10 +66,10 @@ let
 
         sleep 10
 
-        ${pkgs.systemd}/bin/systemctl restart consul.service
-        ${pkgs.systemd}/bin/systemctl restart nomad.service
-        ${pkgs.systemd}/bin/systemctl restart vault.service
-        ${pkgs.systemd}/bin/systemctl restart ingress.service
+        ${pkgs.systemd}/bin/systemctl try-reload-or-restart consul.service
+        ${pkgs.systemd}/bin/systemctl try-reload-or-restart nomad.service
+        ${pkgs.systemd}/bin/systemctl try-reload-or-restart vault.service
+        ${pkgs.systemd}/bin/systemctl try-reload-or-restart ingress.service
 
         vault write nomad/config/access \
           ca_cert=@/etc/ssl/certs/full.pem \
@@ -83,7 +83,7 @@ let
       (runIf config.services.consul.enable {
         template = {
           destination = "/etc/consul.d/tokens.json";
-          command = "${pkgs.systemd}/bin/systemctl reload consul.service";
+          command = "${pkgs.systemd}/bin/systemctl try-reload-or-restart consul.service";
           contents = if nodeName == "monitoring" then ''
             {
               "acl": {
@@ -116,7 +116,7 @@ let
       (runIf (config.services.consul.enable) {
         template = {
           destination = "/run/keys/consul-default-token";
-          command = "${pkgs.systemd}/bin/systemctl reload consul.service";
+          command = "${pkgs.systemd}/bin/systemctl try-reload-or-restart consul.service";
           contents = ''
             {{ with secret "consul/creds/consul-server-default" }}{{ .Data.token }}{{ end }}
           '';
@@ -126,7 +126,7 @@ let
       # TODO: remove duplication
       (runIf config.services.nomad.enable {
         template = {
-          command = "${pkgs.systemd}/bin/systemctl restart nomad.service";
+          command = "${pkgs.systemd}/bin/systemctl try-reload-or-restart nomad.service";
           destination = "/etc/nomad.d/consul-token.json";
           contents = ''
             {
@@ -140,7 +140,7 @@ let
 
       (runIf config.services.nomad.enable {
         template = {
-          command = "${pkgs.systemd}/bin/systemctl restart nomad.service";
+          command = "${pkgs.systemd}/bin/systemctl try-reload-or-restart nomad.service";
           destination = "/run/keys/nomad-consul-token";
           contents = ''
             {{- with secret "consul/creds/nomad-server" }}{{ .Data.token }}{{ end -}}
@@ -151,7 +151,7 @@ let
       (runIf config.services.nomad-autoscaler.enable {
         template = {
           command =
-            "${pkgs.systemd}/bin/systemctl restart nomad-autoscaler.service";
+            "${pkgs.systemd}/bin/systemctl try-reload-or-restart nomad-autoscaler.service";
           destination = "/run/keys/nomad-autoscaler-token";
           contents = ''
             {{- with secret "nomad/creds/nomad-autoscaler" }}{{ .Data.secret_id }}{{ end -}}