refactor(ops): Move irccat secret into agenix
The irccat module uses DynamicUser, so to grant permission to it a new group has been added for irccat. I have some vague memory of DynamicUser + Group not behaving as one would expect, but we'll see what happens. Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
This commit is contained in:
parent
002d183876
commit
d4403638cf
4 changed files with 31 additions and 3 deletions
|
@ -221,6 +221,12 @@ in {
|
|||
file = secretFile "clbot-ssh";
|
||||
owner = "clbot";
|
||||
};
|
||||
|
||||
irccat = {
|
||||
file = secretFile "irccat";
|
||||
mode = "0440";
|
||||
group = "irccat";
|
||||
};
|
||||
};
|
||||
|
||||
# Automatically collect garbage from the Nix store.
|
||||
|
|
|
@ -12,13 +12,13 @@ let
|
|||
# service launch.
|
||||
configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config);
|
||||
configMerge = pkgs.writeShellScript "merge-irccat-config" ''
|
||||
if [ ! -f "/etc/secrets/irccat.json" ]; then
|
||||
if [ ! -f "${cfg.secretsFile}" ]; then
|
||||
echo "irccat secrets file is missing"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# jq's * is the recursive merge operator
|
||||
${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} /etc/secrets/irccat.json \
|
||||
${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \
|
||||
> /var/lib/irccat/irccat.json
|
||||
'';
|
||||
in {
|
||||
|
@ -29,6 +29,12 @@ in {
|
|||
type = lib.types.attrs; # varying value types
|
||||
description = "Configuration structure (unchecked!)";
|
||||
};
|
||||
|
||||
secretsFile = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Path to the secrets file to be merged";
|
||||
default = "/run/agenix/irccat";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
@ -40,10 +46,14 @@ in {
|
|||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
Group = "irccat";
|
||||
StateDirectory = "irccat";
|
||||
WorkingDirectory = "/var/lib/irccat";
|
||||
Restart = "always";
|
||||
};
|
||||
};
|
||||
|
||||
# Create a real group to grant access to secrets to.
|
||||
users.groups.irccat = {};
|
||||
};
|
||||
}
|
||||
|
|
11
ops/secrets/irccat.age
Normal file
11
ops/secrets/irccat.age
Normal file
|
@ -0,0 +1,11 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dcsaLw WeT9p0wllWBLB6/RaTgrGO4ubKl3suTC483oBX8Jsh0
|
||||
IwLXJUlKavRabns7qiqE8TphNngbNxNvvCOpJXFV6Qs
|
||||
-> ssh-ed25519 OkGqLg +yCpWW0lv9Isk1CYcK/sJijyq+mxNXgVXG0J75vZ4F0
|
||||
mru1AKnleSb5r+CjB5+jvyC3rRGVF54Q0N4rZHkQsjY
|
||||
-> _h3i%-grease {3x|6wy X&)#|/^
|
||||
NMjmXcjJYfi/B3gloItYOFPGl5OHQJRBX0UruGbC5UZUeQDDPWMqRfrSZpiWFYzJ
|
||||
iDikRO3KSTQBeL+OHHZakQvQVC5rt0zQnC+HIA
|
||||
--- VZ+e0jdAd2a6fp9OtJQiNageeAqbAwkHDBDujgXx/aY
|
||||
-a~ª…%UG´Á†v€*"F˜
|
||||
ìã<öNÚ‡¹qîÛ7/ÚcÜKhP‘S—Ðy¢<]VÝ*ÖZhõ8Jq«0ôŠÛФ÷'oÊÛ¥æ3Ó\®zêSÝ–¢ÎuEµ-©'Nï`M
|
|
@ -10,8 +10,9 @@ let
|
|||
in {
|
||||
"besadii.age" = default;
|
||||
"buildkite-agent-token.age" = default;
|
||||
"clbot.age" = default;
|
||||
"clbot-ssh.age" = default;
|
||||
"clbot.age" = default;
|
||||
"gerrit-queue.age" = default;
|
||||
"irccat.age" = default;
|
||||
"owothia.age" = default;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue