fix(ops/modules): Increase `RestartSec=` of oauth2_proxy service r/4147

When Keycloak and oauth2_proxy are restarted simultaneously, the
latter might try to come up (repeatedly!) before Keycloak can serve it
properly.

This leads to systemd considering the unit failed.

Since this all happens in the span of a second or so, slightly
increase the restart delay of the service to ensure it comes back
after Keycloak is ready.

A "proper" fix might be to add a script that runs before the actual
service and waits for Keycloak, but I don't want to prioritise that
right now.

Change-Id: I4dadba686de60ffc103fe889ce19f05ca1d7d4fe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5695
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>

1 files changed, 1 insertions, 0 deletions

diff --git a/ops/modules/oauth2_proxy.nix b/ops/modules/oauth2_proxy.nix
index e92572365d52..23afa7bce084 100644
--- a/ops/modules/oauth2_proxy.nix
+++ b/ops/modules/oauth2_proxy.nix
@@ -50,6 +50,7 @@ in
 
       serviceConfig = {
         Restart = "always";
+        RestartSec = "5s";
         DynamicUser = true;
         EnvironmentFile = cfg.secretsFile;
         ExecStart = "${pkgs.oauth2_proxy}/bin/oauth2-proxy --config ${configFile}";