Skip to content

Add automatic secret polling for systemd integration #29

New issue
New issue
Open
Open
Add automatic secret polling for systemd integration#29
@brizzbuzz

Description

@brizzbuzz
brizzbuzz
opened on Oct 19, 2025

Current Behavior

The systemd integration feature (PR #27) works perfectly for restarting services when secrets change, but currently requires manual triggering of the opnix CLI command to fetch updated secrets from 1Password.

What works:

  • ✅ systemd integration detects secret file changes and restarts configured services
  • ✅ Path watcher monitors /var/lib/opnix/secrets for modifications
  • ✅ When opnix CLI runs, it fetches new secrets and triggers service restarts automatically

What's missing:

  • ❌ No automatic polling of 1Password for secret changes
  • ❌ Requires manual opnix secret execution to check for updates

Proposed Enhancement

Add configurable automatic polling to check 1Password for secret updates at regular intervals.

Implementation Options:

  1. systemd timer: Add optional timer unit to periodically run opnix secret checks
  2. Polling interval config: Allow users to configure check frequency (e.g., hourly, daily)
  3. Smart polling: Only poll when services are running to avoid unnecessary API calls

Configuration Example:

systemdIntegration = {
  enable = true;
  services = ["caddy" "grafana"];
  restartOnChange = true;
  polling = {
    enable = true;
    interval = "1h";  # Check every hour
    onlyWhenServicesActive = true;  # Skip if services are stopped
  };
};

Benefits:

  • Truly automated secret rotation
  • Configurable to balance security, API usage, and freshness
  • Maintains current manual trigger capability
  • Respects 1Password API rate limits

This enhancement would make the systemd integration feature complete for hands-off secret management in production environments.

Additional Considerations

Security & Performance:

  • Default to conservative polling intervals (e.g., 6h or daily)
  • Consider exponential backoff for API errors
  • Log polling activity for debugging
  • Allow disabling polling entirely for manual-only workflows

Integration:

  • Should work seamlessly with existing systemd integration
  • Path watcher should remain as primary change detection mechanism
  • Timer should be optional and disabled by default initially

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions