diff options
| author | Vincent Ambo <mail@tazj.in> | 2020-11-08T01·41+0100 |
|---|---|---|
| committer | tazjin <mail@tazj.in> | 2020-11-08T18·38+0000 |
| commit | cbfcf14301cc9f2f8b5dff467b686acd5310fc46 (patch) | |
| tree | 6e9281fca52a9e396deab7a621aa98d43abff1a1 /ops | |
| parent | 8a6d00aceb48d428a1d12d06f2db62dcccb4ae13 (diff) | |
feat(ops/irccat): Add a NixOS module for launching irccat r/1875
This module configures irccat by creating a JSON configuration file from a user-supplied Nix struct (this is not checked for correctness), and merging it recursively with secrets from `/etc/secrets/irccat.json` at service launch time. This way we get the ability to configure (most) options declaratively via Nix, while providing the secrets outside of Nix. Side note: We need to figure out a secrets distribution mechanism. Tested: Wrote a dummy config in whitby/default.nix locally and checked that this builds, but I have not actually run the service yet. I expect that some minor tweaks will end up being necessary. Change-Id: I02a2e8dc40a7f8417fd77afcf8a12ac3df117988 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2074 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: glittershark <grfn@gws.fyi>
Diffstat (limited to 'ops')
| -rw-r--r-- | ops/nixos/irccat.nix | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/ops/nixos/irccat.nix b/ops/nixos/irccat.nix new file mode 100644 index 0000000000..68735e4ce5 --- /dev/null +++ b/ops/nixos/irccat.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.depot.irccat; + description = "irccat - forward messages to IRC"; + + # irccat expects to read its configuration from the *current + # directory*, and its configuration contains secrets. + # + # To make this work we construct the JSON configuration file and + # then recursively merge it with an on-disk secret using jq on + # service launch. + configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config); + configMerge = pkgs.writeShellScript "merge-irccat-config" '' + if [ ! -f "/etc/secrets/irccat.json" ]; then + echo "irccat secrets file is missing" + exit 1 + fi + + # jq's * is the recursive merge operator + ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} /etc/secrets/irccat.json \ + > /var/lib/irccat/irccat.json + ''; +in { + options.services.depot.irccat = { + enable = lib.mkEnableOption description; + + config = lib.mkOption { + type = lib.types.attrs; # varying value types + description = "Configuration structure (unchecked!)"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.irccat = { + inherit description; + preStart = "${configMerge}"; + script = "${config.depot.third_party.irccat}/bin/irccat"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = true; + StateDirectory = "irccat"; + WorkingDirectory = "/var/lib/irccat"; + Restart = "always"; + }; + }; + }; +} |