feat(tazjin/koptevo): deploy tgsa r/6328

The main instance is still running on polyanka, but things are moving
in this direction.

Change-Id: Idfa9e508023c05148003ac4621ae01dceb284c66
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8827
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI

2 files changed, 16 insertions, 2 deletions

diff --git a/users/tazjin/nixos/koptevo/default.nix b/users/tazjin/nixos/koptevo/default.nix
index 41bf044487..162b43cd3c 100644
--- a/users/tazjin/nixos/koptevo/default.nix
+++ b/users/tazjin/nixos/koptevo/default.nix
@@ -13,6 +13,8 @@ in
     (mod "www/base.nix")
     (mod "www/tazj.in.nix")
     (usermod "predlozhnik.nix")
+    (usermod "tgsa.nix")
+    (depot.third_party.agenix.src + "/modules/age.nix")
   ];
 
   boot = {
@@ -79,6 +81,14 @@ in
     openssh.authorizedKeys.keys = depot.users.tazjin.keys.all;
   };
 
+  age.secrets =
+    let
+      secretFile = name: depot.users.tazjin.secrets."${name}.age";
+    in
+    {
+      tgsa-yandex.file = secretFile "tgsa-yandex";
+    };
+
   security.sudo.wheelNeedsPassword = false;
 
   services.openssh.enable = true;
diff --git a/users/tazjin/nixos/modules/tgsa.nix b/users/tazjin/nixos/modules/tgsa.nix
index 9953ab03ac..e162e0d822 100644
--- a/users/tazjin/nixos/modules/tgsa.nix
+++ b/users/tazjin/nixos/modules/tgsa.nix
@@ -6,11 +6,15 @@
     wantedBy = [ "multi-user.target" ];
 
     serviceConfig = {
-      EnvironmentFile = "/root/tgsa-env"; # TODO(tazjin): automate this
       DynamicUser = true;
       Restart = "always";
-      ExecStart = "${depot.users.tazjin.tgsa}/bin/tgsa";
+      LoadCredential = "tgsa-yandex.json:/run/agenix/tgsa-yandex";
     };
+
+    script = ''
+      export YANDEX_KEY_FILE="''${CREDENTIALS_DIRECTORY}/tgsa-yandex.json"
+      ${depot.users.tazjin.tgsa}/bin/tgsa
+    '';
   };
 
   services.nginx.virtualHosts."tgsa" = {