summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2021-12-24 00:47:41 +0100
committertv <tv@krebsco.de>2021-12-24 00:51:28 +0100
commit7219292dd59e22d94ec9d2a204a841cb44da0daa (patch)
tree08a3495afa243ab7baeec4fd1b6ab47b232f15d0 /krebs
parent71d11e8f2b377d3aade73faae129811bba922315 (diff)
repo-sync: use LoadCredential
Diffstat (limited to 'krebs')
-rw-r--r--krebs/3modules/repo-sync.nix26
1 files changed, 10 insertions, 16 deletions
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index 488cc4dd8..c4cfb9a49 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -122,13 +122,9 @@ let
};
privateKeyFile = mkOption {
- type = types.secret-file;
- default = {
- name = "repo-sync-key";
- path = "${cfg.stateDir}/ssh.priv";
- owner = cfg.user;
- source-path = toString <secrets> + "/repo-sync.ssh.key";
- };
+ type = types.absolute-pathname;
+ default = toString <secrets> + "/repo-sync.ssh.key";
+ defaultText = "‹secrets/repo-sync.ssh.key›";
};
unitConfig = mkOption {
@@ -144,7 +140,6 @@ let
};
imp = {
- krebs.secret.files.repo-sync-key = cfg.privateKeyFile;
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
@@ -163,6 +158,10 @@ let
}
) cfg.repos;
+ krebs.systemd.services = mapAttrs' (name: _:
+ nameValuePair "repo-sync-${name}" {}
+ ) cfg.repos;
+
systemd.services = mapAttrs' (name: repo:
let
repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json"
@@ -171,16 +170,10 @@ let
});
in nameValuePair "repo-sync-${name}" {
description = "repo-sync";
- after = [
- config.krebs.secret.files.repo-sync-key.service
- "network.target"
- ];
- partOf = [
- config.krebs.secret.files.repo-sync-key.service
- ];
+ after = [ "network.target" ];
environment = {
- GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}";
+ GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key";
REPONAME = "${name}.git";
};
@@ -188,6 +181,7 @@ let
serviceConfig = {
Type = "simple";
PermissionsStartOnly = true;
+ LoadCredential = "ssh_key:${cfg.privateKeyFile}";
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
WorkingDirectory = cfg.stateDir;
User = "repo-sync";