refactor(ops): Move irccat secret into agenix
The irccat module uses DynamicUser, so to grant permission to it a new group has been added for irccat. I have some vague memory of DynamicUser + Group not behaving as one would expect, but we'll see what happens. Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
This commit is contained in:
parent
002d183876
commit
d4403638cf
4 changed files with 31 additions and 3 deletions
|
@ -221,6 +221,12 @@ in {
|
||||||
file = secretFile "clbot-ssh";
|
file = secretFile "clbot-ssh";
|
||||||
owner = "clbot";
|
owner = "clbot";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
irccat = {
|
||||||
|
file = secretFile "irccat";
|
||||||
|
mode = "0440";
|
||||||
|
group = "irccat";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Automatically collect garbage from the Nix store.
|
# Automatically collect garbage from the Nix store.
|
||||||
|
|
|
@ -12,13 +12,13 @@ let
|
||||||
# service launch.
|
# service launch.
|
||||||
configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config);
|
configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config);
|
||||||
configMerge = pkgs.writeShellScript "merge-irccat-config" ''
|
configMerge = pkgs.writeShellScript "merge-irccat-config" ''
|
||||||
if [ ! -f "/etc/secrets/irccat.json" ]; then
|
if [ ! -f "${cfg.secretsFile}" ]; then
|
||||||
echo "irccat secrets file is missing"
|
echo "irccat secrets file is missing"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# jq's * is the recursive merge operator
|
# jq's * is the recursive merge operator
|
||||||
${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} /etc/secrets/irccat.json \
|
${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \
|
||||||
> /var/lib/irccat/irccat.json
|
> /var/lib/irccat/irccat.json
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
|
@ -29,6 +29,12 @@ in {
|
||||||
type = lib.types.attrs; # varying value types
|
type = lib.types.attrs; # varying value types
|
||||||
description = "Configuration structure (unchecked!)";
|
description = "Configuration structure (unchecked!)";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
secretsFile = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Path to the secrets file to be merged";
|
||||||
|
default = "/run/agenix/irccat";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
@ -40,10 +46,14 @@ in {
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
|
Group = "irccat";
|
||||||
StateDirectory = "irccat";
|
StateDirectory = "irccat";
|
||||||
WorkingDirectory = "/var/lib/irccat";
|
WorkingDirectory = "/var/lib/irccat";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Create a real group to grant access to secrets to.
|
||||||
|
users.groups.irccat = {};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
11
ops/secrets/irccat.age
Normal file
11
ops/secrets/irccat.age
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 dcsaLw WeT9p0wllWBLB6/RaTgrGO4ubKl3suTC483oBX8Jsh0
|
||||||
|
IwLXJUlKavRabns7qiqE8TphNngbNxNvvCOpJXFV6Qs
|
||||||
|
-> ssh-ed25519 OkGqLg +yCpWW0lv9Isk1CYcK/sJijyq+mxNXgVXG0J75vZ4F0
|
||||||
|
mru1AKnleSb5r+CjB5+jvyC3rRGVF54Q0N4rZHkQsjY
|
||||||
|
-> _h3i%-grease {3x|6wy X&)#|/^
|
||||||
|
NMjmXcjJYfi/B3gloItYOFPGl5OHQJRBX0UruGbC5UZUeQDDPWMqRfrSZpiWFYzJ
|
||||||
|
iDikRO3KSTQBeL+OHHZakQvQVC5rt0zQnC+HIA
|
||||||
|
--- VZ+e0jdAd2a6fp9OtJQiNageeAqbAwkHDBDujgXx/aY
|
||||||
|
-a~ª…%UG´Á†v€*"F˜
|
||||||
|
ìã<öNÚ‡¹qîÛ7/ÚcÜKhP‘S—Ðy¢<]VÝ*ÖZhõ8Jq«0ôŠÛФ÷'oÊÛ¥æ3Ó\®zêSÝ–¢ÎuEµ-©'Nï`M
|
|
@ -10,8 +10,9 @@ let
|
||||||
in {
|
in {
|
||||||
"besadii.age" = default;
|
"besadii.age" = default;
|
||||||
"buildkite-agent-token.age" = default;
|
"buildkite-agent-token.age" = default;
|
||||||
"clbot.age" = default;
|
|
||||||
"clbot-ssh.age" = default;
|
"clbot-ssh.age" = default;
|
||||||
|
"clbot.age" = default;
|
||||||
"gerrit-queue.age" = default;
|
"gerrit-queue.age" = default;
|
||||||
|
"irccat.age" = default;
|
||||||
"owothia.age" = default;
|
"owothia.age" = default;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue