about summary refs log tree commit diff
path: root/ops/modules/irccat.nix
diff options
context:
space:
mode:
Diffstat (limited to 'ops/modules/irccat.nix')
-rw-r--r--ops/modules/irccat.nix16
1 files changed, 7 insertions, 9 deletions
diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix
index 9d3eea53c073..9b4b96d3addf 100644
--- a/ops/modules/irccat.nix
+++ b/ops/modules/irccat.nix
@@ -11,15 +11,17 @@ let
   # then recursively merge it with an on-disk secret using jq on
   # service launch.
   configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config);
-  configMerge = pkgs.writeShellScript "merge-irccat-config" ''
-    if [ ! -f "${cfg.secretsFile}" ]; then
+  mergeAndLaunch = pkgs.writeShellScript "merge-irccat-config" ''
+    if [ ! -f "$CREDENTIALS_DIRECTORY/secrets" ]; then
       echo "irccat secrets file is missing"
       exit 1
     fi
 
     # jq's * is the recursive merge operator
-    ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \
+    ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} "$CREDENTIALS_DIRECTORY/secrets" \
       > /var/lib/irccat/irccat.json
+
+    exec ${depot.third_party.irccat}/bin/irccat
   '';
 in {
   options.services.depot.irccat = {
@@ -40,20 +42,16 @@ in {
   config = lib.mkIf cfg.enable {
     systemd.services.irccat = {
       inherit description;
-      preStart = "${configMerge}";
-      script = "${depot.third_party.irccat}/bin/irccat";
       wantedBy = [ "multi-user.target" ];
 
       serviceConfig = {
+        ExecStart = "${mergeAndLaunch}";
         DynamicUser = true;
-        Group = "irccat";
         StateDirectory = "irccat";
         WorkingDirectory = "/var/lib/irccat";
+        LoadCredential = "secrets:${cfg.secretsFile}";
         Restart = "always";
       };
     };
-
-    # Create a real group to grant access to secrets to.
-    users.groups.irccat = {};
   };
 }
generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-11-01T19ยท56+0000