about summary refs log tree commit diff
path: root/ops/modules
diff options
context:
space:
mode:
Diffstat (limited to 'ops/modules')
-rw-r--r--ops/modules/irccat.nix14
1 files changed, 12 insertions, 2 deletions
diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix
index e4b30b73553e..9d3eea53c073 100644
--- a/ops/modules/irccat.nix
+++ b/ops/modules/irccat.nix
@@ -12,13 +12,13 @@ let
   # service launch.
   configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config);
   configMerge = pkgs.writeShellScript "merge-irccat-config" ''
-    if [ ! -f "/etc/secrets/irccat.json" ]; then
+    if [ ! -f "${cfg.secretsFile}" ]; then
       echo "irccat secrets file is missing"
       exit 1
     fi
 
     # jq's * is the recursive merge operator
-    ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} /etc/secrets/irccat.json \
+    ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \
       > /var/lib/irccat/irccat.json
   '';
 in {
@@ -29,6 +29,12 @@ in {
       type = lib.types.attrs; # varying value types
       description = "Configuration structure (unchecked!)";
     };
+
+    secretsFile = lib.mkOption {
+      type = lib.types.str;
+      description = "Path to the secrets file to be merged";
+      default = "/run/agenix/irccat";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -40,10 +46,14 @@ in {
 
       serviceConfig = {
         DynamicUser = true;
+        Group = "irccat";
         StateDirectory = "irccat";
         WorkingDirectory = "/var/lib/irccat";
         Restart = "always";
       };
     };
+
+    # Create a real group to grant access to secrets to.
+    users.groups.irccat = {};
   };
 }