about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ops/machines/whitby/default.nix1
-rw-r--r--ops/modules/smtprelay.nix21
2 files changed, 15 insertions, 7 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index e013c56196..ce97628cc3 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -214,6 +214,7 @@ in {
       nix-cache-priv.file = secretFile "nix-cache-priv";
       owothia.file = secretFile "owothia";
       panettone.file = secretFile "panettone";
+      smtprelay.file = secretFile "smtprelay";
 
       buildkite-agent-token = {
         file = secretFile "buildkite-agent-token";
diff --git a/ops/modules/smtprelay.nix b/ops/modules/smtprelay.nix
index d8e03b5794..106593fe39 100644
--- a/ops/modules/smtprelay.nix
+++ b/ops/modules/smtprelay.nix
@@ -9,32 +9,38 @@ let
     mkIf
     mkOption
     types
-;
+    ;
 
   cfg = config.services.depot.smtprelay;
   description = "Simple SMTP relay";
 
-  # Configuration values that are always overridden. In particular,
-  # `config` is specified to always load $StateDirectory/secure.config
-  # (so that passwords can be loaded from there) and logging is pinned
-  # to stdout for journald compatibility.
+  # Configuration values that are always overridden.
+  #
+  # - logging is pinned to stdout for journald compatibility
+  # - secret config is loaded through systemd's credential loading facility
   overrideArgs = {
     logfile = "";
-    config = "/var/lib/smtprelay/secure.config";
+    config = "$CREDENTIALS_DIRECTORY/secrets";
   };
 
   # Creates the command line argument string for the service.
   prepareArgs = args:
     concatStringsSep " "
-      (attrValues (mapAttrs (key: value: "-${key} '${toString value}'")
+      (attrValues (mapAttrs (key: value: "-${key} \"${toString value}\"")
                             (args // overrideArgs)));
 in {
   options.services.depot.smtprelay = {
     enable = mkEnableOption description;
+
     args = mkOption {
       type = types.attrsOf types.str;
       description = "Key value pairs for command line arguments";
     };
+
+    secretsFile = mkOption {
+      type = types.str;
+      default = "/run/agenix/smtprelay";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -47,6 +53,7 @@ in {
         Restart = "always";
         StateDirectory = "smtprelay";
         DynamicUser = true;
+        LoadCredential = "secrets:${cfg.secretsFile}";
       };
     };
   };
generated by cgit-pink 1.4.1 (git 2.44.0) at 2024-05-11T12ยท19+0000