2 files changed, 27 insertions, 7 deletions

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 1d0096abff1f..9f1a0a1914f9 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -13,6 +13,7 @@ in
     "${depot.path}/ops/modules/gerrit-queue.nix"
     "${depot.path}/ops/modules/irccat.nix"
     "${depot.path}/ops/modules/josh.nix"
+    "${depot.path}/ops/modules/journaldriver.nix"
     "${depot.path}/ops/modules/known-hosts.nix"
     "${depot.path}/ops/modules/monorepo-gerrit.nix"
     "${depot.path}/ops/modules/nixery.nix"
@@ -481,13 +482,6 @@ in
     ops.deploy-whitby
   ]);
 
-  services.journaldriver = {
-    enable = true;
-    googleCloudProject = "tvl-fyi";
-    logStream = "whitby";
-    applicationCredentials = "/var/lib/journaldriver/key.json";
-  };
-
   # Required for prometheus to be able to scrape stats
   services.nginx.statusPage = true;
 
diff --git a/ops/modules/journaldriver.nix b/ops/modules/journaldriver.nix
new file mode 100644
index 000000000000..0d6b0bcc7f63
--- /dev/null
+++ b/ops/modules/journaldriver.nix
@@ -0,0 +1,26 @@
+# Configures journaldriver to forward to the tvl-fyi GCP project from
+# TVL machines.
+{ config, depot, lib, pkgs, ... }:
+
+{
+  imports = [
+    (depot.third_party.agenix.src + "/modules/age.nix")
+  ];
+
+  age.secrets.journaldriver.file = depot.ops.secrets."journaldriver.age";
+
+  services.journaldriver = {
+    enable = true;
+    googleCloudProject = "tvl-fyi";
+    logStream = config.networking.hostName;
+  };
+
+  # Override the systemd service defined in the nixpkgs module to use
+  # the credentials provided by agenix.
+  systemd.services.journaldriver = {
+    serviceConfig = {
+      LoadCredential = "journaldriver.json:/run/agenix/journaldriver";
+      ExecStart = lib.mkForce "${pkgs.coreutils}/bin/env GOOGLE_APPLICATION_CREDENTIALS=\"\${CREDENTIALS_DIRECTORY}/journaldriver.json\" ${depot.ops.journaldriver}/bin/journaldriver";
+    };
+  };
+}