diff options
author | Vincent Ambo <mail@tazj.in> | 2021-12-10T12·49+0300 |
---|---|---|
committer | Vincent Ambo <mail@tazj.in> | 2021-12-10T13·13+0300 |
commit | d4403638cf02d544d87a0ce9101ee5b18ff09d96 (patch) | |
tree | 6ae1aac862a9057291f5e7e2e33ecf6230ba01ff /ops | |
parent | 002d183876e67338498bd4fbae9928af4fb5694c (diff) |
refactor(ops): Move irccat secret into agenix r/3184
The irccat module uses DynamicUser, so to grant permission to it a new group has been added for irccat. I have some vague memory of DynamicUser + Group not behaving as one would expect, but we'll see what happens. Change-Id: Iab9f6a3f1a53c4133b635458ce173250cc9a3fac
Diffstat (limited to 'ops')
-rw-r--r-- | ops/machines/whitby/default.nix | 6 | ||||
-rw-r--r-- | ops/modules/irccat.nix | 14 | ||||
-rw-r--r-- | ops/secrets/irccat.age | 11 | ||||
-rw-r--r-- | ops/secrets/secrets.nix | 3 |
4 files changed, 31 insertions, 3 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 8cec05284a75..381980fd37e8 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -221,6 +221,12 @@ in { file = secretFile "clbot-ssh"; owner = "clbot"; }; + + irccat = { + file = secretFile "irccat"; + mode = "0440"; + group = "irccat"; + }; }; # Automatically collect garbage from the Nix store. diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix index e4b30b73553e..9d3eea53c073 100644 --- a/ops/modules/irccat.nix +++ b/ops/modules/irccat.nix @@ -12,13 +12,13 @@ let # service launch. configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config); configMerge = pkgs.writeShellScript "merge-irccat-config" '' - if [ ! -f "/etc/secrets/irccat.json" ]; then + if [ ! -f "${cfg.secretsFile}" ]; then echo "irccat secrets file is missing" exit 1 fi # jq's * is the recursive merge operator - ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} /etc/secrets/irccat.json \ + ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \ > /var/lib/irccat/irccat.json ''; in { @@ -29,6 +29,12 @@ in { type = lib.types.attrs; # varying value types description = "Configuration structure (unchecked!)"; }; + + secretsFile = lib.mkOption { + type = lib.types.str; + description = "Path to the secrets file to be merged"; + default = "/run/agenix/irccat"; + }; }; config = lib.mkIf cfg.enable { @@ -40,10 +46,14 @@ in { serviceConfig = { DynamicUser = true; + Group = "irccat"; StateDirectory = "irccat"; WorkingDirectory = "/var/lib/irccat"; Restart = "always"; }; }; + + # Create a real group to grant access to secrets to. + users.groups.irccat = {}; }; } diff --git a/ops/secrets/irccat.age b/ops/secrets/irccat.age new file mode 100644 index 000000000000..9015acdc78b1 --- /dev/null +++ b/ops/secrets/irccat.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw WeT9p0wllWBLB6/RaTgrGO4ubKl3suTC483oBX8Jsh0 +IwLXJUlKavRabns7qiqE8TphNngbNxNvvCOpJXFV6Qs +-> ssh-ed25519 OkGqLg +yCpWW0lv9Isk1CYcK/sJijyq+mxNXgVXG0J75vZ4F0 +mru1AKnleSb5r+CjB5+jvyC3rRGVF54Q0N4rZHkQsjY +-> _h3i%-grease {3x|6wy X&)#|/^ +NMjmXcjJYfi/B3gloItYOFPGl5OHQJRBX0UruGbC5UZUeQDDPWMqRfrSZpiWFYzJ +iDikRO3KSTQBeL+OHHZakQvQVC5rt0zQnC+HIA +--- VZ+e0jdAd2a6fp9OtJQiNageeAqbAwkHDBDujgXx/aY +-a~��%UG���v�*"F� +��<�Nڇ�q��7/�c�KhP�S��y�<]V�*�Zh�8Jq�0��Ф�'�o�ۥ�3�\�z�Sݖ��uE�-�'N�`M \ No newline at end of file diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index f98f884f4b7c..94835bb28251 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -10,8 +10,9 @@ let in { "besadii.age" = default; "buildkite-agent-token.age" = default; - "clbot.age" = default; "clbot-ssh.age" = default; + "clbot.age" = default; "gerrit-queue.age" = default; + "irccat.age" = default; "owothia.age" = default; } |