Fix handling of secrets

hosts/iron/services/esphome/default.nix

@@ -2,9 +2,6 @@ args@{ lib, pkgs, config, custom-utils, ... }:
 let
   ports = import ../../ports.nix args;
   cfg = config.services.esphome;
-  devices = [
-    ./yeelight-meteorite.yaml
-  ];
   cfgdir = pkgs.stdenvNoCC.mkDerivation {
     name = "esphome-config";
     src = ./devices;
@@ -22,6 +19,7 @@ in
 {
   sops.secrets.esphome = {
     sopsFile = ../../secrets.yaml;
+    restartUnits = [ config.systemd.services.esphome.name ];
   };
 
   services.esphome = {
@@ -29,11 +27,6 @@ in
     address = "127.0.0.1";
     port = ports.esphome.tcp;
     package = pkgs.esphome;
-    #package = pkgs.esphome.overrideAttrs (attrs: {
-    #  makeWrapperArgs = attrs.makeWrapperArgs ++ [
-    #    "--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ pkgs.stdenv.cc.cc.lib ]}"
-    #  ];
-    #});
   };
 
   systemd.services.esphome = {
@@ -41,13 +34,13 @@ in
       "PLATFORMIO_CORE_DIR" = lib.mkForce "/tmp/.platformio";
     };
     serviceConfig = {
-      BindPaths = [
-        "/var/lib/esphome"
-        "/var/lib/private/esphome"
-      ];
       BindReadOnlyPaths = [
         "/nix/store"
-        "${cfgdir}"
+        cfgdir
+        "%d/secrets.yaml:/var/lib/esphome/secrets.yaml"
+      ];
+      BindPaths = [
+        "/var/lib/esphome"
       ];
       DeviceAllow = [
         "char-ttyACM rw"
@@ -55,8 +48,7 @@ in
         "char-ttyUSB rw"
       ];
       ExecStartPre = [
-        "${pkgs.rsync}/bin/rsync -a --delete --exclude=.esphome --exclude=.platformio --exclude=.gitignore '${cfgdir}/' '/var/lib/esphome/'"
-        "${pkgs.coreutils}/bin/ln -snf '%d/secrets.yaml' '/var/lib/esphome/secrets.yaml'"
+        "${pkgs.rsync}/bin/rsync -a --delete --checksum --exclude secrets.yaml --exclude=.esphome --exclude=.platformio --exclude=.gitignore '${cfgdir}/' '/var/lib/esphome/'"
       ];
       LoadCredential = "secrets.yaml:${config.sops.secrets.esphome.path}";
       PrivateTmp = true;