diff options
author | tv <tv@krebsco.de> | 2021-12-24 00:47:41 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2021-12-24 00:51:28 +0100 |
commit | 7219292dd59e22d94ec9d2a204a841cb44da0daa (patch) | |
tree | 08a3495afa243ab7baeec4fd1b6ab47b232f15d0 /krebs | |
parent | 71d11e8f2b377d3aade73faae129811bba922315 (diff) |
repo-sync: use LoadCredential
Diffstat (limited to 'krebs')
-rw-r--r-- | krebs/3modules/repo-sync.nix | 26 |
1 files changed, 10 insertions, 16 deletions
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index 488cc4dd8..c4cfb9a49 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -122,13 +122,9 @@ let }; privateKeyFile = mkOption { - type = types.secret-file; - default = { - name = "repo-sync-key"; - path = "${cfg.stateDir}/ssh.priv"; - owner = cfg.user; - source-path = toString <secrets> + "/repo-sync.ssh.key"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/repo-sync.ssh.key"; + defaultText = "‹secrets/repo-sync.ssh.key›"; }; unitConfig = mkOption { @@ -144,7 +140,6 @@ let }; imp = { - krebs.secret.files.repo-sync-key = cfg.privateKeyFile; users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; createHome = true; @@ -163,6 +158,10 @@ let } ) cfg.repos; + krebs.systemd.services = mapAttrs' (name: _: + nameValuePair "repo-sync-${name}" {} + ) cfg.repos; + systemd.services = mapAttrs' (name: repo: let repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json" @@ -171,16 +170,10 @@ let }); in nameValuePair "repo-sync-${name}" { description = "repo-sync"; - after = [ - config.krebs.secret.files.repo-sync-key.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.repo-sync-key.service - ]; + after = [ "network.target" ]; environment = { - GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}"; + GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key"; REPONAME = "${name}.git"; }; @@ -188,6 +181,7 @@ let serviceConfig = { Type = "simple"; PermissionsStartOnly = true; + LoadCredential = "ssh_key:${cfg.privateKeyFile}"; ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}"; WorkingDirectory = cfg.stateDir; User = "repo-sync"; |