refactor(ops): Move irccat secret into agenix

The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.

I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.

Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
This commit is contained in:
Vincent Ambo 2021-12-10 15:49:11 +03:00
parent 002d183876
commit d4403638cf
4 changed files with 31 additions and 3 deletions

View file

@ -221,6 +221,12 @@ in {
file = secretFile "clbot-ssh"; file = secretFile "clbot-ssh";
owner = "clbot"; owner = "clbot";
}; };
irccat = {
file = secretFile "irccat";
mode = "0440";
group = "irccat";
};
}; };
# Automatically collect garbage from the Nix store. # Automatically collect garbage from the Nix store.

View file

@ -12,13 +12,13 @@ let
# service launch. # service launch.
configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config); configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config);
configMerge = pkgs.writeShellScript "merge-irccat-config" '' configMerge = pkgs.writeShellScript "merge-irccat-config" ''
if [ ! -f "/etc/secrets/irccat.json" ]; then if [ ! -f "${cfg.secretsFile}" ]; then
echo "irccat secrets file is missing" echo "irccat secrets file is missing"
exit 1 exit 1
fi fi
# jq's * is the recursive merge operator # jq's * is the recursive merge operator
${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} /etc/secrets/irccat.json \ ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \
> /var/lib/irccat/irccat.json > /var/lib/irccat/irccat.json
''; '';
in { in {
@ -29,6 +29,12 @@ in {
type = lib.types.attrs; # varying value types type = lib.types.attrs; # varying value types
description = "Configuration structure (unchecked!)"; description = "Configuration structure (unchecked!)";
}; };
secretsFile = lib.mkOption {
type = lib.types.str;
description = "Path to the secrets file to be merged";
default = "/run/agenix/irccat";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -40,10 +46,14 @@ in {
serviceConfig = { serviceConfig = {
DynamicUser = true; DynamicUser = true;
Group = "irccat";
StateDirectory = "irccat"; StateDirectory = "irccat";
WorkingDirectory = "/var/lib/irccat"; WorkingDirectory = "/var/lib/irccat";
Restart = "always"; Restart = "always";
}; };
}; };
# Create a real group to grant access to secrets to.
users.groups.irccat = {};
}; };
} }

11
ops/secrets/irccat.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 dcsaLw WeT9p0wllWBLB6/RaTgrGO4ubKl3suTC483oBX8Jsh0
IwLXJUlKavRabns7qiqE8TphNngbNxNvvCOpJXFV6Qs
-> ssh-ed25519 OkGqLg +yCpWW0lv9Isk1CYcK/sJijyq+mxNXgVXG0J75vZ4F0
mru1AKnleSb5r+CjB5+jvyC3rRGVF54Q0N4rZHkQsjY
-> _h3i%-grease {3x|6wy X&)#|/^
NMjmXcjJYfi/B3gloItYOFPGl5OHQJRBX0UruGbC5UZUeQDDPWMqRfrSZpiWFYzJ
iDikRO3KSTQBeL+OHHZakQvQVC5rt0zQnC+HIA
--- VZ+e0jdAd2a6fp9OtJQiNageeAqbAwkHDBDujgXx/aY
-a~ª…%UG´Á†v€*"F˜
ìã<öNÚ‡¹qîÛ7/ÚcÜKhPS—Ðy¢<]VÝ*ÖZhõ8Jq«0ôŠÛФ÷'­oÊÛ¥æ3Ó\®zêSÝ¢ÎuEµ-©'Nï`M

View file

@ -10,8 +10,9 @@ let
in { in {
"besadii.age" = default; "besadii.age" = default;
"buildkite-agent-token.age" = default; "buildkite-agent-token.age" = default;
"clbot.age" = default;
"clbot-ssh.age" = default; "clbot-ssh.age" = default;
"clbot.age" = default;
"gerrit-queue.age" = default; "gerrit-queue.age" = default;
"irccat.age" = default;
"owothia.age" = default; "owothia.age" = default;
} }