diff options
| author | Vincent Ambo <mail@tazj.in> | 2022-02-17T10·36+0300 |
|---|---|---|
| committer | tazjin <tazjin@tvl.su> | 2022-02-18T11·38+0000 |
| commit | 536e01e9672253991ec86289f7a75f182782613a (patch) | |
| tree | cdb513091ce8bc7b5b0d32a9d391be7f51db26a3 | |
| parent | c72abe04f24c3108346f0fc8a6d147a2c0958d6b (diff) | |
refactor(ops/modules): Move journaldriver configuration into module r/3847
This makes the journaldriver configuration machine-independent. The secret is loaded from agenix instead of being persisted on disk. Change-Id: I592ae7f5726fcb7f37a406f69dcf5ac498eeb1b7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5302 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
| -rw-r--r-- | ops/machines/whitby/default.nix | 8 | ||||
| -rw-r--r-- | ops/modules/journaldriver.nix | 26 |
2 files changed, 27 insertions, 7 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 1d0096abff..9f1a0a1914 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -13,6 +13,7 @@ in "${depot.path}/ops/modules/gerrit-queue.nix" "${depot.path}/ops/modules/irccat.nix" "${depot.path}/ops/modules/josh.nix" + "${depot.path}/ops/modules/journaldriver.nix" "${depot.path}/ops/modules/known-hosts.nix" "${depot.path}/ops/modules/monorepo-gerrit.nix" "${depot.path}/ops/modules/nixery.nix" @@ -481,13 +482,6 @@ in ops.deploy-whitby ]); - services.journaldriver = { - enable = true; - googleCloudProject = "tvl-fyi"; - logStream = "whitby"; - applicationCredentials = "/var/lib/journaldriver/key.json"; - }; - # Required for prometheus to be able to scrape stats services.nginx.statusPage = true; diff --git a/ops/modules/journaldriver.nix b/ops/modules/journaldriver.nix new file mode 100644 index 0000000000..0d6b0bcc7f --- /dev/null +++ b/ops/modules/journaldriver.nix @@ -0,0 +1,26 @@ +# Configures journaldriver to forward to the tvl-fyi GCP project from +# TVL machines. +{ config, depot, lib, pkgs, ... }: + +{ + imports = [ + (depot.third_party.agenix.src + "/modules/age.nix") + ]; + + age.secrets.journaldriver.file = depot.ops.secrets."journaldriver.age"; + + services.journaldriver = { + enable = true; + googleCloudProject = "tvl-fyi"; + logStream = config.networking.hostName; + }; + + # Override the systemd service defined in the nixpkgs module to use + # the credentials provided by agenix. + systemd.services.journaldriver = { + serviceConfig = { + LoadCredential = "journaldriver.json:/run/agenix/journaldriver"; + ExecStart = lib.mkForce "${pkgs.coreutils}/bin/env GOOGLE_APPLICATION_CREDENTIALS=\"\${CREDENTIALS_DIRECTORY}/journaldriver.json\" ${depot.ops.journaldriver}/bin/journaldriver"; + }; + }; +} |