From 536e01e9672253991ec86289f7a75f182782613a Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Thu, 17 Feb 2022 13:36:57 +0300 Subject: [PATCH] refactor(ops/modules): Move journaldriver configuration into module This makes the journaldriver configuration machine-independent. The secret is loaded from agenix instead of being persisted on disk. Change-Id: I592ae7f5726fcb7f37a406f69dcf5ac498eeb1b7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5302 Autosubmit: tazjin Tested-by: BuildkiteCI Reviewed-by: sterni --- ops/machines/whitby/default.nix | 8 +------- ops/modules/journaldriver.nix | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 7 deletions(-) create mode 100644 ops/modules/journaldriver.nix diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 1d0096abf..9f1a0a191 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -13,6 +13,7 @@ in "${depot.path}/ops/modules/gerrit-queue.nix" "${depot.path}/ops/modules/irccat.nix" "${depot.path}/ops/modules/josh.nix" + "${depot.path}/ops/modules/journaldriver.nix" "${depot.path}/ops/modules/known-hosts.nix" "${depot.path}/ops/modules/monorepo-gerrit.nix" "${depot.path}/ops/modules/nixery.nix" @@ -481,13 +482,6 @@ in ops.deploy-whitby ]); - services.journaldriver = { - enable = true; - googleCloudProject = "tvl-fyi"; - logStream = "whitby"; - applicationCredentials = "/var/lib/journaldriver/key.json"; - }; - # Required for prometheus to be able to scrape stats services.nginx.statusPage = true; diff --git a/ops/modules/journaldriver.nix b/ops/modules/journaldriver.nix new file mode 100644 index 000000000..0d6b0bcc7 --- /dev/null +++ b/ops/modules/journaldriver.nix @@ -0,0 +1,26 @@ +# Configures journaldriver to forward to the tvl-fyi GCP project from +# TVL machines. +{ config, depot, lib, pkgs, ... }: + +{ + imports = [ + (depot.third_party.agenix.src + "/modules/age.nix") + ]; + + age.secrets.journaldriver.file = depot.ops.secrets."journaldriver.age"; + + services.journaldriver = { + enable = true; + googleCloudProject = "tvl-fyi"; + logStream = config.networking.hostName; + }; + + # Override the systemd service defined in the nixpkgs module to use + # the credentials provided by agenix. + systemd.services.journaldriver = { + serviceConfig = { + LoadCredential = "journaldriver.json:/run/agenix/journaldriver"; + ExecStart = lib.mkForce "${pkgs.coreutils}/bin/env GOOGLE_APPLICATION_CREDENTIALS=\"\${CREDENTIALS_DIRECTORY}/journaldriver.json\" ${depot.ops.journaldriver}/bin/journaldriver"; + }; + }; +}