mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(modules/smtprelay): Load credentials via agenix

Browse source 
Change-Id: I56f6887e1fd35551cfc83ad08cafebb611f4a341
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4760
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Autosubmit: tazjin <mail@tazj.in>
This commit is contained in:
Vincent Ambo 2022-01-01 16:38:14 +03:00 committed by clbot
parent 58c64aa81a
commit 2bf39d7101
2 changed files with 15 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

1
ops/machines/whitby/default.nix
View file

@ -214,6 +214,7 @@ in {
nix-cache-priv.file = secretFile "nix-cache-priv"; nix-cache-priv.file = secretFile "nix-cache-priv";
owothia.file = secretFile "owothia"; owothia.file = secretFile "owothia";
panettone.file = secretFile "panettone"; panettone.file = secretFile "panettone";
smtprelay.file = secretFile "smtprelay";
buildkite-agent-token = { buildkite-agent-token = {
file = secretFile "buildkite-agent-token"; file = secretFile "buildkite-agent-token";

19
ops/modules/smtprelay.nix
View file

@ -14,27 +14,33 @@ let
cfg = config.services.depot.smtprelay; cfg = config.services.depot.smtprelay;
description = "Simple SMTP relay"; description = "Simple SMTP relay";
# Configuration values that are always overridden. In particular, # Configuration values that are always overridden.
# `config` is specified to always load $StateDirectory/secure.config #
# (so that passwords can be loaded from there) and logging is pinned # - logging is pinned to stdout for journald compatibility
# to stdout for journald compatibility. # - secret config is loaded through systemd's credential loading facility
overrideArgs = { overrideArgs = {
logfile = ""; logfile = "";
config = "/var/lib/smtprelay/secure.config"; config = "$CREDENTIALS_DIRECTORY/secrets";
}; };
# Creates the command line argument string for the service. # Creates the command line argument string for the service.
prepareArgs = args: prepareArgs = args:
concatStringsSep " " concatStringsSep " "
(attrValues (mapAttrs (key: value: "-${key} '${toString value}'") (attrValues (mapAttrs (key: value: "-${key} \"${toString value}\"")
(args // overrideArgs))); (args // overrideArgs)));
in { in {
options.services.depot.smtprelay = { options.services.depot.smtprelay = {
enable = mkEnableOption description; enable = mkEnableOption description;
args = mkOption { args = mkOption {
type = types.attrsOf types.str; type = types.attrsOf types.str;
description = "Key value pairs for command line arguments"; description = "Key value pairs for command line arguments";
}; };
secretsFile = mkOption {
type = types.str;
default = "/run/agenix/smtprelay";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -47,6 +53,7 @@ in {
Restart = "always"; Restart = "always";
StateDirectory = "smtprelay"; StateDirectory = "smtprelay";
DynamicUser = true; DynamicUser = true;
LoadCredential = "secrets:${cfg.secretsFile}";
}; };
}; };
}; };