about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2023-09-30T19·24+0300
committertazjin <tazjin@tvl.su>2023-09-30T21·47+0000
commit5df59d2c7f5b256abc1013e58cf04c9b0362ac5d (patch)
tree5d6f641a7fdd83ca02557e36830ae3f41a1d5270
parentd3a59662ca5c6b7aed0e8235a0a7e3267afd1f3a (diff)
feat(tazjin/nixos): add geesefs mount unit for koptevo ... r/6679
... this will make sense soon!

Change-Id: I1f8f32d655afdf868fff4bd09e1fea2943fd7558
Reviewed-on: https://cl.tvl.fyi/c/depot/+/9496
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
-rw-r--r--users/tazjin/nixos/koptevo/default.nix1
-rw-r--r--users/tazjin/nixos/modules/geesefs.nix37
2 files changed, 38 insertions, 0 deletions
diff --git a/users/tazjin/nixos/koptevo/default.nix b/users/tazjin/nixos/koptevo/default.nix
index dba8550da051..11bbfde138aa 100644
--- a/users/tazjin/nixos/koptevo/default.nix
+++ b/users/tazjin/nixos/koptevo/default.nix
@@ -15,6 +15,7 @@ in
     (usermod "monica.nix")
     (usermod "predlozhnik.nix")
     (usermod "tgsa.nix")
+    (usermod "geesefs.nix")
     (depot.third_party.agenix.src + "/modules/age.nix")
   ];
 
diff --git a/users/tazjin/nixos/modules/geesefs.nix b/users/tazjin/nixos/modules/geesefs.nix
new file mode 100644
index 000000000000..1d4273f7fc59
--- /dev/null
+++ b/users/tazjin/nixos/modules/geesefs.nix
@@ -0,0 +1,37 @@
+{ depot, pkgs, ... }:
+
+{
+  imports = [
+    (depot.third_party.agenix.src + "/modules/age.nix")
+  ];
+
+  age.secrets.geesefs-tazjins-files.file = depot.users.tazjin.secrets."geesefs-tazjins-files.age";
+  programs.fuse.userAllowOther = true;
+
+  systemd.services.geesefs = {
+    description = "geesefs @ tazjins-files";
+    wantedBy = [ "multi-user.target" ];
+    path = [ pkgs.fuse ];
+
+    serviceConfig = {
+      # TODO: can't get fusermount to work for non-root users (e.g. DynamicUser) here, why?
+
+      Restart = "always";
+      LoadCredential = "geesefs-tazjins-files:/run/agenix/geesefs-tazjins-files";
+      StateDirectory = "geesefs";
+    };
+
+    script = ''
+      set -u # bail out if systemd is misconfigured ...
+      set -x
+
+      mkdir -p $STATE_DIRECTORY/tazjins-files $STATE_DIRECTORY/cache
+
+      ${depot.third_party.geesefs}/bin/geesefs \
+        -f -o allow_other \
+        --cache $STATE_DIRECTORY/cache \
+        --shared-config $CREDENTIALS_DIRECTORY/geesefs-tazjins-files \
+        tazjins-files $STATE_DIRECTORY/tazjins-files
+    '';
+  };
+}