diff options
| author | Vincent Ambo <mail@tazj.in> | 2021-12-10T14·10+0300 |
|---|---|---|
| committer | clbot <clbot@tvl.fyi> | 2021-12-10T15·09+0000 |
| commit | b8267c261ca647ea5465ac8c0be443c14e9f01b6 (patch) | |
| tree | 1a8f0f99562c1f4c8bfbf9999e63bbdf6ddcc4a0 /ops | |
| parent | 67bde5ecc3e03e1483039bf697bedd179fef617e (diff) | |
fix(ops/irccat): Avoid permissions issue with LoadCredentials= r/3191
The DynamicUser + Group configuration does not work as planned, thus the systemd LoadCredentials feature is used instead which makes the file (which itself is only readable by root) available in a memory-backed location only readable by the service. The secret is only available to `ExecStart` commands, so units using this feature can not be used with pre/post units and the like if those commands need secrets. To accommodate this, the merge of configuration files has been moved into the service launch script, which is now the ExecStart= process. For details take a look at https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH Change-Id: I693fe5677cc0d63c7aa485c2c7472457c5262166
Diffstat (limited to 'ops')
| -rw-r--r-- | ops/machines/whitby/default.nix | 7 | ||||
| -rw-r--r-- | ops/modules/irccat.nix | 16 |
2 files changed, 8 insertions, 15 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 381980fd37e8..41b53fa98445 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -209,6 +209,7 @@ in { in { clbot.file = secretFile "clbot"; gerrit-queue.file = secretFile "gerrit-queue"; + irccat.file = secretFile "irccat"; owothia.file = secretFile "owothia"; buildkite-agent-token = { @@ -221,12 +222,6 @@ in { file = secretFile "clbot-ssh"; owner = "clbot"; }; - - irccat = { - file = secretFile "irccat"; - mode = "0440"; - group = "irccat"; - }; }; # Automatically collect garbage from the Nix store. diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix index 9d3eea53c073..9b4b96d3addf 100644 --- a/ops/modules/irccat.nix +++ b/ops/modules/irccat.nix @@ -11,15 +11,17 @@ let # then recursively merge it with an on-disk secret using jq on # service launch. configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config); - configMerge = pkgs.writeShellScript "merge-irccat-config" '' - if [ ! -f "${cfg.secretsFile}" ]; then + mergeAndLaunch = pkgs.writeShellScript "merge-irccat-config" '' + if [ ! -f "$CREDENTIALS_DIRECTORY/secrets" ]; then echo "irccat secrets file is missing" exit 1 fi # jq's * is the recursive merge operator - ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \ + ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} "$CREDENTIALS_DIRECTORY/secrets" \ > /var/lib/irccat/irccat.json + + exec ${depot.third_party.irccat}/bin/irccat ''; in { options.services.depot.irccat = { @@ -40,20 +42,16 @@ in { config = lib.mkIf cfg.enable { systemd.services.irccat = { inherit description; - preStart = "${configMerge}"; - script = "${depot.third_party.irccat}/bin/irccat"; wantedBy = [ "multi-user.target" ]; serviceConfig = { + ExecStart = "${mergeAndLaunch}"; DynamicUser = true; - Group = "irccat"; StateDirectory = "irccat"; WorkingDirectory = "/var/lib/irccat"; + LoadCredential = "secrets:${cfg.secretsFile}"; Restart = "always"; }; }; - - # Create a real group to grant access to secrets to. - users.groups.irccat = {}; }; } |