refactor(ops): Move irccat secret into agenix

The irccat module uses DynamicUser, so to grant permission to it a new group has been added for irccat. I have some vague memory of DynamicUser + Group not behaving as one would expect, but we'll see what happens. Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
2021-12-10 15:49:11 +03:00 · 2021-12-10 15:49:11 +03:00 · d4403638cf
commit d4403638cf
parent 002d183876
4 changed files with 31 additions and 3 deletions
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@ -221,6 +221,12 @@ in {
        file = secretFile "clbot-ssh";
        owner = "clbot";
      };
+
+      irccat = {
+        file = secretFile "irccat";
+        mode = "0440";
+        group = "irccat";
+      };
    };

  # Automatically collect garbage from the Nix store.
--- a/ops/modules/irccat.nix
+++ b/ops/modules/irccat.nix
@ -12,13 +12,13 @@ let
  # service launch.
  configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config);
  configMerge = pkgs.writeShellScript "merge-irccat-config" ''
-    if [ ! -f "/etc/secrets/irccat.json" ]; then
+    if [ ! -f "${cfg.secretsFile}" ]; then
      echo "irccat secrets file is missing"
      exit 1
    fi

    # jq's * is the recursive merge operator
-    ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} /etc/secrets/irccat.json \
+    ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \
      > /var/lib/irccat/irccat.json
  '';
 in {
@ -29,6 +29,12 @@ in {
      type = lib.types.attrs; # varying value types
      description = "Configuration structure (unchecked!)";
    };
+
+    secretsFile = lib.mkOption {
+      type = lib.types.str;
+      description = "Path to the secrets file to be merged";
+      default = "/run/agenix/irccat";
+    };
  };

  config = lib.mkIf cfg.enable {
@ -40,10 +46,14 @@ in {

      serviceConfig = {
        DynamicUser = true;
+        Group = "irccat";
        StateDirectory = "irccat";
        WorkingDirectory = "/var/lib/irccat";
        Restart = "always";
      };
    };
+
+    # Create a real group to grant access to secrets to.
+    users.groups.irccat = {};
  };
 }
--- a/ops/secrets/irccat.age
+++ b/ops/secrets/irccat.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw WeT9p0wllWBLB6/RaTgrGO4ubKl3suTC483oBX8Jsh0
+IwLXJUlKavRabns7qiqE8TphNngbNxNvvCOpJXFV6Qs
+-> ssh-ed25519 OkGqLg +yCpWW0lv9Isk1CYcK/sJijyq+mxNXgVXG0J75vZ4F0
+mru1AKnleSb5r+CjB5+jvyC3rRGVF54Q0N4rZHkQsjY
+-> _h3i%-grease {3x|6wy X&)#|/^
+NMjmXcjJYfi/B3gloItYOFPGl5OHQJRBX0UruGbC5UZUeQDDPWMqRfrSZpiWFYzJ
+iDikRO3KSTQBeL+OHHZakQvQVC5rt0zQnC+HIA
+--- VZ+e0jdAd2a6fp9OtJQiNageeAqbAwkHDBDujgXx/aY
+-a~ª…%UG´Á†v€*"F˜
+ìã<öNÚ‡¹qîÛ7/ÚcÜKhP‘S—Ðy¢<]VÝ*ÖZhõ8Jq«0ôŠÛÐ¤÷'oÊÛ¥æ3Ó\®zêSÝ–¢ÎuEµ-©'Nï`M
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@ -10,8 +10,9 @@ let
 in {
  "besadii.age" = default;
  "buildkite-agent-token.age" = default;
-  "clbot.age" = default;
  "clbot-ssh.age" = default;
+  "clbot.age" = default;
  "gerrit-queue.age" = default;
+  "irccat.age" = default;
  "owothia.age" = default;
 }