refactor(ops): Move irccat secret into agenix r/3184

The irccat module uses DynamicUser, so to grant permission to it a new
group has been added for irccat.

I have some vague memory of DynamicUser + Group not behaving as one
would expect, but we'll see what happens.

Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac

4 files changed, 31 insertions, 3 deletions

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 8cec05284a75..381980fd37e8 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -221,6 +221,12 @@ in {
         file = secretFile "clbot-ssh";
         owner = "clbot";
       };
+
+      irccat = {
+        file = secretFile "irccat";
+        mode = "0440";
+        group = "irccat";
+      };
     };
 
   # Automatically collect garbage from the Nix store.
diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix
index e4b30b73553e..9d3eea53c073 100644
--- a/ops/modules/irccat.nix
+++ b/ops/modules/irccat.nix
@@ -12,13 +12,13 @@ let
   # service launch.
   configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config);
   configMerge = pkgs.writeShellScript "merge-irccat-config" ''
-    if [ ! -f "/etc/secrets/irccat.json" ]; then
+    if [ ! -f "${cfg.secretsFile}" ]; then
       echo "irccat secrets file is missing"
       exit 1
     fi
 
     # jq's * is the recursive merge operator
-    ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} /etc/secrets/irccat.json \
+    ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \
       > /var/lib/irccat/irccat.json
   '';
 in {
@@ -29,6 +29,12 @@ in {
       type = lib.types.attrs; # varying value types
       description = "Configuration structure (unchecked!)";
     };
+
+    secretsFile = lib.mkOption {
+      type = lib.types.str;
+      description = "Path to the secrets file to be merged";
+      default = "/run/agenix/irccat";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -40,10 +46,14 @@ in {
 
       serviceConfig = {
         DynamicUser = true;
+        Group = "irccat";
         StateDirectory = "irccat";
         WorkingDirectory = "/var/lib/irccat";
         Restart = "always";
       };
     };
+
+    # Create a real group to grant access to secrets to.
+    users.groups.irccat = {};
   };
 }
diff --git a/ops/secrets/irccat.age b/ops/secrets/irccat.age
new file mode 100644
index 000000000000..9015acdc78b1
--- /dev/null
+++ b/ops/secrets/irccat.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw WeT9p0wllWBLB6/RaTgrGO4ubKl3suTC483oBX8Jsh0
+IwLXJUlKavRabns7qiqE8TphNngbNxNvvCOpJXFV6Qs
+-> ssh-ed25519 OkGqLg +yCpWW0lv9Isk1CYcK/sJijyq+mxNXgVXG0J75vZ4F0
+mru1AKnleSb5r+CjB5+jvyC3rRGVF54Q0N4rZHkQsjY
+-> _h3i%-grease {3x|6wy X&)#|/^
+NMjmXcjJYfi/B3gloItYOFPGl5OHQJRBX0UruGbC5UZUeQDDPWMqRfrSZpiWFYzJ
+iDikRO3KSTQBeL+OHHZakQvQVC5rt0zQnC+HIA
+--- VZ+e0jdAd2a6fp9OtJQiNageeAqbAwkHDBDujgXx/aY
+-a~ª…%UG´Á†v€*"F˜
+ìã<öNÚ‡¹qîÛ7/ÚcÜKhP‘S—Ðy¢<]VÝ*ÖZhõ8Jq«0ôŠÛФ÷'­oÊÛ¥æ3Ó\®zêSÝ–¢ÎuEµ-©'Nï`M
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index f98f884f4b7c..94835bb28251 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -10,8 +10,9 @@ let
 in {
   "besadii.age" = default;
   "buildkite-agent-token.age" = default;
-  "clbot.age" = default;
   "clbot-ssh.age" = default;
+  "clbot.age" = default;
   "gerrit-queue.age" = default;
+  "irccat.age" = default;
   "owothia.age" = default;
 }