about summary refs log tree commit diff
path: root/ops
diff options
context:
space:
mode:
Diffstat (limited to 'ops')
-rw-r--r--ops/machines/whitby/default.nix7
-rw-r--r--ops/modules/irccat.nix16
2 files changed, 8 insertions, 15 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 381980fd37e8..41b53fa98445 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -209,6 +209,7 @@ in {
     in {
       clbot.file = secretFile "clbot";
       gerrit-queue.file = secretFile "gerrit-queue";
+      irccat.file = secretFile "irccat";
       owothia.file = secretFile "owothia";
 
       buildkite-agent-token = {
@@ -221,12 +222,6 @@ in {
         file = secretFile "clbot-ssh";
         owner = "clbot";
       };
-
-      irccat = {
-        file = secretFile "irccat";
-        mode = "0440";
-        group = "irccat";
-      };
     };
 
   # Automatically collect garbage from the Nix store.
diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix
index 9d3eea53c073..9b4b96d3addf 100644
--- a/ops/modules/irccat.nix
+++ b/ops/modules/irccat.nix
@@ -11,15 +11,17 @@ let
   # then recursively merge it with an on-disk secret using jq on
   # service launch.
   configJson = pkgs.writeText "irccat.json" (builtins.toJSON cfg.config);
-  configMerge = pkgs.writeShellScript "merge-irccat-config" ''
-    if [ ! -f "${cfg.secretsFile}" ]; then
+  mergeAndLaunch = pkgs.writeShellScript "merge-irccat-config" ''
+    if [ ! -f "$CREDENTIALS_DIRECTORY/secrets" ]; then
       echo "irccat secrets file is missing"
       exit 1
     fi
 
     # jq's * is the recursive merge operator
-    ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} ${cfg.secretsFile} \
+    ${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configJson} "$CREDENTIALS_DIRECTORY/secrets" \
       > /var/lib/irccat/irccat.json
+
+    exec ${depot.third_party.irccat}/bin/irccat
   '';
 in {
   options.services.depot.irccat = {
@@ -40,20 +42,16 @@ in {
   config = lib.mkIf cfg.enable {
     systemd.services.irccat = {
       inherit description;
-      preStart = "${configMerge}";
-      script = "${depot.third_party.irccat}/bin/irccat";
       wantedBy = [ "multi-user.target" ];
 
       serviceConfig = {
+        ExecStart = "${mergeAndLaunch}";
         DynamicUser = true;
-        Group = "irccat";
         StateDirectory = "irccat";
         WorkingDirectory = "/var/lib/irccat";
+        LoadCredential = "secrets:${cfg.secretsFile}";
         Restart = "always";
       };
     };
-
-    # Create a real group to grant access to secrets to.
-    users.groups.irccat = {};
   };
 }