From 507cd852646b7b6427fd56dd4657154e2661e93c Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Sun, 18 Jun 2023 15:25:45 +0300 Subject: feat(tazjin/koptevo): deploy tgsa The main instance is still running on polyanka, but things are moving in this direction. Change-Id: Idfa9e508023c05148003ac4621ae01dceb284c66 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8827 Reviewed-by: tazjin Tested-by: BuildkiteCI --- users/tazjin/nixos/koptevo/default.nix | 10 ++++++++++ users/tazjin/nixos/modules/tgsa.nix | 8 ++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/users/tazjin/nixos/koptevo/default.nix b/users/tazjin/nixos/koptevo/default.nix index 41bf04448712..162b43cd3cf9 100644 --- a/users/tazjin/nixos/koptevo/default.nix +++ b/users/tazjin/nixos/koptevo/default.nix @@ -13,6 +13,8 @@ in (mod "www/base.nix") (mod "www/tazj.in.nix") (usermod "predlozhnik.nix") + (usermod "tgsa.nix") + (depot.third_party.agenix.src + "/modules/age.nix") ]; boot = { @@ -79,6 +81,14 @@ in openssh.authorizedKeys.keys = depot.users.tazjin.keys.all; }; + age.secrets = + let + secretFile = name: depot.users.tazjin.secrets."${name}.age"; + in + { + tgsa-yandex.file = secretFile "tgsa-yandex"; + }; + security.sudo.wheelNeedsPassword = false; services.openssh.enable = true; diff --git a/users/tazjin/nixos/modules/tgsa.nix b/users/tazjin/nixos/modules/tgsa.nix index 9953ab03acae..e162e0d8228f 100644 --- a/users/tazjin/nixos/modules/tgsa.nix +++ b/users/tazjin/nixos/modules/tgsa.nix @@ -6,11 +6,15 @@ wantedBy = [ "multi-user.target" ]; serviceConfig = { - EnvironmentFile = "/root/tgsa-env"; # TODO(tazjin): automate this DynamicUser = true; Restart = "always"; - ExecStart = "${depot.users.tazjin.tgsa}/bin/tgsa"; + LoadCredential = "tgsa-yandex.json:/run/agenix/tgsa-yandex"; }; + + script = '' + export YANDEX_KEY_FILE="''${CREDENTIALS_DIRECTORY}/tgsa-yandex.json" + ${depot.users.tazjin.tgsa}/bin/tgsa + ''; }; services.nginx.virtualHosts."tgsa" = { -- cgit 1.4.1