diff options
Diffstat (limited to 'ops')
-rw-r--r-- | ops/machines/whitby/default.nix | 7 | ||||
-rw-r--r-- | ops/modules/irccat.nix | 16 |
2 files changed, 8 insertions, 15 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 381980fd37e8..41b53fa98445 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -209,6 +209,7 @@ in { in { clbot.file = secretFile "clbot"; gerrit-queue.file = secretFile "gerrit-queue"; + irccat.file = secretFile "irccat"; owothia.file = secretFile "owothia"; buildkite-agent-token = { @@ -221,12 +222,6 @@ in { file = secretFile "clbot-ssh"; owner = "clbot"; }; - - irccat = { - file = secretFile "irccat"; - mode = "0440"; - group = "irccat"; - }; }; # Automatically collect garbage from the Nix store. diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix index 9d3eea53c073..9b4b96d3addf 100644 --- a/ops/modules/irccat.nix +++ b/ops/modules/irccat.nix @@ -11,15 +11,17 @@ let # then recursively merge it with an on-disk secret using jq on # service launch. configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config); - configMerge = pkgs.writeShellScript "merge-irccat-config" '' - if [ ! -f "${cfg.secretsFile}" ]; then + mergeAndLaunch = pkgs.writeShellScript "merge-irccat-config" '' + if [ ! -f "$CREDENTIALS_DIRECTORY/secrets" ]; then echo "irccat secrets file is missing" exit 1 fi # jq's * is the recursive merge operator - ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \ + ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} "$CREDENTIALS_DIRECTORY/secrets" \ > /var/lib/irccat/irccat.json + + exec ${depot.third_party.irccat}/bin/irccat ''; in { options.services.depot.irccat = { @@ -40,20 +42,16 @@ in { config = lib.mkIf cfg.enable { systemd.services.irccat = { inherit description; - preStart = "${configMerge}"; - script = "${depot.third_party.irccat}/bin/irccat"; wantedBy = [ "multi-user.target" ]; serviceConfig = { + ExecStart = "${mergeAndLaunch}"; DynamicUser = true; - Group = "irccat"; StateDirectory = "irccat"; WorkingDirectory = "/var/lib/irccat"; + LoadCredential = "secrets:${cfg.secretsFile}"; Restart = "always"; }; }; - - # Create a real group to grant access to secrets to. - users.groups.irccat = {}; }; } |