cluster/services/attic: switch to locksmith secrets

2024-07-10 23:54:07 +02:00 · 2024-07-10 23:54:07 +02:00 · e73a340ff0
commit e73a340ff0
parent a8041ec87f
3 changed files with 8 additions and 6 deletions
--- a/cluster/secrets/attic-s3Credentials.age
+++ b/cluster/secrets/attic-s3Credentials.age
--- a/cluster/services/attic/default.nix
+++ b/cluster/services/attic/default.nix
@ -22,15 +22,15 @@
        nodes = nodes.server;
        owner = "atticd";
      };
-      s3Credentials = {
-        nodes = nodes.server;
-        owner = "atticd";
-      };
    };
  };

  garage = {
-    keys.attic = { };
+    keys.attic.locksmith = {
+      nodes = config.services.attic.nodes.server;
+      owner = "atticd";
+      format = "aws";
+    };
    buckets.attic = {
      allow.attic = [ "read" "write" ];
    };
--- a/cluster/services/attic/server.nix
+++ b/cluster/services/attic/server.nix
@ -11,6 +11,8 @@ in

  links.atticServer.protocol = "http";

+  services.locksmith.waitForSecrets.atticd = [ "garage-attic" ];
+
  services.atticd = {
    enable = true;

@ -60,7 +62,7 @@ in
      DynamicUser = lib.mkForce false;
    };
    environment = {
-      AWS_SHARED_CREDENTIALS_FILE = secrets.s3Credentials.path;
+      AWS_SHARED_CREDENTIALS_FILE = "/run/locksmith/garage-attic";
      PGPASSFILE = secrets.dbCredentials.path;
    };
  };