refactor(modules/smtprelay): Load credentials via agenix r/3509

Change-Id: I56f6887e1fd35551cfc83ad08cafebb611f4a341 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4760 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: Profpatsch <mail@profpatsch.de> Autosubmit: tazjin <mail@tazj.in>
author: Vincent Ambo <mail@tazj.in> 2022-01-01T13·38+0300
committer: clbot <clbot@tvl.fyi> 2022-01-01T15·30+0000
commit: 2bf39d7101baaa718fd8aee7abe3eb2f793e3324 (patch)
tree: e25d61d8682403e51fcab76fbb9fe8654f606806 /ops
parent: 58c64aa81a21f4e1d280d3632af4834ec1b3041e (diff)
2 files changed, 15 insertions, 7 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index e013c56196..ce97628cc3 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -214,6 +214,7 @@ in {
       nix-cache-priv.file = secretFile "nix-cache-priv";
       owothia.file = secretFile "owothia";
       panettone.file = secretFile "panettone";
+      smtprelay.file = secretFile "smtprelay";
 
       buildkite-agent-token = {
         file = secretFile "buildkite-agent-token";
diff --git a/ops/modules/smtprelay.nix b/ops/modules/smtprelay.nix
index d8e03b5794..106593fe39 100644
--- a/ops/modules/smtprelay.nix
+++ b/ops/modules/smtprelay.nix
@@ -9,32 +9,38 @@ let
     mkIf
     mkOption
     types
-;
+    ;
 
   cfg = config.services.depot.smtprelay;
   description = "Simple SMTP relay";
 
-  # Configuration values that are always overridden. In particular,
-  # `config` is specified to always load $StateDirectory/secure.config
-  # (so that passwords can be loaded from there) and logging is pinned
-  # to stdout for journald compatibility.
+  # Configuration values that are always overridden.
+  #
+  # - logging is pinned to stdout for journald compatibility
+  # - secret config is loaded through systemd's credential loading facility
   overrideArgs = {
     logfile = "";
-    config = "/var/lib/smtprelay/secure.config";
+    config = "$CREDENTIALS_DIRECTORY/secrets";
   };
 
   # Creates the command line argument string for the service.
   prepareArgs = args:
     concatStringsSep " "
-      (attrValues (mapAttrs (key: value: "-${key} '${toString value}'")
+      (attrValues (mapAttrs (key: value: "-${key} \"${toString value}\"")
                             (args // overrideArgs)));
 in {
   options.services.depot.smtprelay = {
     enable = mkEnableOption description;
+
     args = mkOption {
       type = types.attrsOf types.str;
       description = "Key value pairs for command line arguments";
     };
+
+    secretsFile = mkOption {
+      type = types.str;
+      default = "/run/agenix/smtprelay";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -47,6 +53,7 @@ in {
         Restart = "always";
         StateDirectory = "smtprelay";
         DynamicUser = true;
+        LoadCredential = "secrets:${cfg.secretsFile}";
       };
     };
   };
author	Vincent Ambo <mail@tazj.in>	2022-01-01T13·38+0300
committer	clbot <clbot@tvl.fyi>	2022-01-01T15·30+0000
commit	2bf39d7101baaa718fd8aee7abe3eb2f793e3324 (patch)
tree	e25d61d8682403e51fcab76fbb9fe8654f606806 /ops
parent	58c64aa81a21f4e1d280d3632af4834ec1b3041e (diff)