From 5df59d2c7f5b256abc1013e58cf04c9b0362ac5d Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Sat, 30 Sep 2023 22:24:21 +0300 Subject: feat(tazjin/nixos): add geesefs mount unit for koptevo ... ... this will make sense soon! Change-Id: I1f8f32d655afdf868fff4bd09e1fea2943fd7558 Reviewed-on: https://cl.tvl.fyi/c/depot/+/9496 Tested-by: BuildkiteCI Reviewed-by: tazjin --- users/tazjin/nixos/koptevo/default.nix | 1 + users/tazjin/nixos/modules/geesefs.nix | 37 ++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 users/tazjin/nixos/modules/geesefs.nix diff --git a/users/tazjin/nixos/koptevo/default.nix b/users/tazjin/nixos/koptevo/default.nix index dba8550da051..11bbfde138aa 100644 --- a/users/tazjin/nixos/koptevo/default.nix +++ b/users/tazjin/nixos/koptevo/default.nix @@ -15,6 +15,7 @@ in (usermod "monica.nix") (usermod "predlozhnik.nix") (usermod "tgsa.nix") + (usermod "geesefs.nix") (depot.third_party.agenix.src + "/modules/age.nix") ]; diff --git a/users/tazjin/nixos/modules/geesefs.nix b/users/tazjin/nixos/modules/geesefs.nix new file mode 100644 index 000000000000..1d4273f7fc59 --- /dev/null +++ b/users/tazjin/nixos/modules/geesefs.nix @@ -0,0 +1,37 @@ +{ depot, pkgs, ... }: + +{ + imports = [ + (depot.third_party.agenix.src + "/modules/age.nix") + ]; + + age.secrets.geesefs-tazjins-files.file = depot.users.tazjin.secrets."geesefs-tazjins-files.age"; + programs.fuse.userAllowOther = true; + + systemd.services.geesefs = { + description = "geesefs @ tazjins-files"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.fuse ]; + + serviceConfig = { + # TODO: can't get fusermount to work for non-root users (e.g. DynamicUser) here, why? + + Restart = "always"; + LoadCredential = "geesefs-tazjins-files:/run/agenix/geesefs-tazjins-files"; + StateDirectory = "geesefs"; + }; + + script = '' + set -u # bail out if systemd is misconfigured ... + set -x + + mkdir -p $STATE_DIRECTORY/tazjins-files $STATE_DIRECTORY/cache + + ${depot.third_party.geesefs}/bin/geesefs \ + -f -o allow_other \ + --cache $STATE_DIRECTORY/cache \ + --shared-config $CREDENTIALS_DIRECTORY/geesefs-tazjins-files \ + tazjins-files $STATE_DIRECTORY/tazjins-files + ''; + }; +} -- cgit 1.4.1