From 2bf39d7101baaa718fd8aee7abe3eb2f793e3324 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Sat, 1 Jan 2022 16:38:14 +0300
Subject: refactor(modules/smtprelay): Load credentials via agenix

Change-Id: I56f6887e1fd35551cfc83ad08cafebb611f4a341
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4760
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Autosubmit: tazjin <mail@tazj.in>
---
 ops/machines/whitby/default.nix |  1 +
 ops/modules/smtprelay.nix       | 21 ++++++++++++++-------
 2 files changed, 15 insertions(+), 7 deletions(-)

(limited to 'ops')

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index e013c56196..ce97628cc3 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -214,6 +214,7 @@ in {
       nix-cache-priv.file = secretFile "nix-cache-priv";
       owothia.file = secretFile "owothia";
       panettone.file = secretFile "panettone";
+      smtprelay.file = secretFile "smtprelay";
 
       buildkite-agent-token = {
         file = secretFile "buildkite-agent-token";
diff --git a/ops/modules/smtprelay.nix b/ops/modules/smtprelay.nix
index d8e03b5794..106593fe39 100644
--- a/ops/modules/smtprelay.nix
+++ b/ops/modules/smtprelay.nix
@@ -9,32 +9,38 @@ let
     mkIf
     mkOption
     types
-;
+    ;
 
   cfg = config.services.depot.smtprelay;
   description = "Simple SMTP relay";
 
-  # Configuration values that are always overridden. In particular,
-  # `config` is specified to always load $StateDirectory/secure.config
-  # (so that passwords can be loaded from there) and logging is pinned
-  # to stdout for journald compatibility.
+  # Configuration values that are always overridden.
+  #
+  # - logging is pinned to stdout for journald compatibility
+  # - secret config is loaded through systemd's credential loading facility
   overrideArgs = {
     logfile = "";
-    config = "/var/lib/smtprelay/secure.config";
+    config = "$CREDENTIALS_DIRECTORY/secrets";
   };
 
   # Creates the command line argument string for the service.
   prepareArgs = args:
     concatStringsSep " "
-      (attrValues (mapAttrs (key: value: "-${key} '${toString value}'")
+      (attrValues (mapAttrs (key: value: "-${key} \"${toString value}\"")
                             (args // overrideArgs)));
 in {
   options.services.depot.smtprelay = {
     enable = mkEnableOption description;
+
     args = mkOption {
       type = types.attrsOf types.str;
       description = "Key value pairs for command line arguments";
     };
+
+    secretsFile = mkOption {
+      type = types.str;
+      default = "/run/agenix/smtprelay";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -47,6 +53,7 @@ in {
         Restart = "always";
         StateDirectory = "smtprelay";
         DynamicUser = true;
+        LoadCredential = "secrets:${cfg.secretsFile}";
       };
     };
   };
-- 
cgit 1.4.1