nixos/dex: Restart on referenced file changes

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -22,6 +22,8 @@
 
 - The default Elixir version has been updated to 1.18.
 
+- `services.dex` now restarts upon changes to the `.environmentFile` or entries in `.settings.staticClients[].secretFile` when the entry is a `path` type.
+
 - `nixos-rebuild-ng`, a full rewrite of `nixos-rebuild` in Python, is available for testing. You can enable it by setting [system.rebuild.enableNg](options.html#opt-system.rebuild.enableNg) in your configuration (this will replace the old `nixos-rebuild`), or by adding `nixos-rebuild-ng` to your `environment.systemPackages` (in this case, it will live side-by-side with `nixos-rebuild` as `nixos-rebuild-ng`). It is expected that the next major version of NixOS (25.11) will enable `system.rebuild.enableNg` by default.
 - A `nixos-rebuild build-image` sub-command has been added.
 

nixos/modules/services/web-apps/dex.nix

@@ -12,7 +12,12 @@ let
   fixClient =
     client:
     if client ? secretFile then
-      ((builtins.removeAttrs client [ "secretFile" ]) // { secret = client.secretFile; })
+      (
+        (builtins.removeAttrs client [ "secretFile" ])
+        // {
+          secret = client.secretFile;
+        }
+      )
     else
       client;
   filteredSettings = mapAttrs (
@@ -32,6 +37,11 @@ let
       '') secretFiles
     )
   );
+
+  restartTriggers =
+    [ ]
+    ++ (optionals (cfg.environmentFile != null) [ cfg.environmentFile ])
+    ++ (filter (file: builtins.typeOf file == "path") secretFiles);
 in
 {
   options.services.dex = {
@@ -90,6 +100,7 @@ in
         "networking.target"
       ] ++ (optional (cfg.settings.storage.type == "postgres") "postgresql.service");
       path = with pkgs; [ replace-secret ];
+      restartTriggers = restartTriggers;
       serviceConfig =
         {
           ExecStart = "${pkgs.dex-oidc}/bin/dex serve /run/dex/config.yaml";