Cluster secrets #100
3 changed files with 6 additions and 8 deletions
|
@ -12,11 +12,6 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
vars = {
|
vars = {
|
||||||
ircPeerKey = {
|
|
||||||
file = ./irc-peer-key.age;
|
|
||||||
owner = "ngircd";
|
|
||||||
group = "ngircd";
|
|
||||||
};
|
|
||||||
ircOpers = [ "max" "num" "ark" ];
|
ircOpers = [ "max" "num" "ark" ];
|
||||||
};
|
};
|
||||||
hostLinks = lib.genAttrs config.services.irc.nodes.host (name: {
|
hostLinks = lib.genAttrs config.services.irc.nodes.host (name: {
|
||||||
|
@ -50,6 +45,11 @@ in
|
||||||
./irc-host.nix
|
./irc-host.nix
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
secrets.peerKey = {
|
||||||
|
nodes = config.services.irc.nodes.host;
|
||||||
|
owner = "ngircd";
|
||||||
|
services = [ "ngircd" ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
monitoring.blackbox.targets = {
|
monitoring.blackbox.targets = {
|
||||||
|
|
|
@ -93,17 +93,15 @@ in {
|
||||||
auth required ${pkgs.kanidm}/lib/pam_kanidm.so
|
auth required ${pkgs.kanidm}/lib/pam_kanidm.so
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
age.secrets = { inherit (vars) ircPeerKey; };
|
|
||||||
systemd.services.ngircd = {
|
systemd.services.ngircd = {
|
||||||
after = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
|
after = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
|
||||||
wants = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
|
wants = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
|
||||||
restartTriggers = [ "${config.age.secrets.ircPeerKey.file}" ];
|
|
||||||
serviceConfig.RuntimeDirectory = "ngircd";
|
serviceConfig.RuntimeDirectory = "ngircd";
|
||||||
preStart = ''
|
preStart = ''
|
||||||
install -d -m700 /run/ngircd/secrets
|
install -d -m700 /run/ngircd/secrets
|
||||||
for cfg in ${builtins.concatStringsSep " " otherServerFiles}; do
|
for cfg in ${builtins.concatStringsSep " " otherServerFiles}; do
|
||||||
install -m600 $cfg /run/ngircd/secrets/
|
install -m600 $cfg /run/ngircd/secrets/
|
||||||
${pkgs.replace-secret}/bin/replace-secret '@PEER_PASSWORD@' '${config.age.secrets.ircPeerKey.path}' /run/ngircd/secrets/$(basename $cfg)
|
${pkgs.replace-secret}/bin/replace-secret '@PEER_PASSWORD@' '${cluster.config.services.irc.secrets.peerKey.path}' /run/ngircd/secrets/$(basename $cfg)
|
||||||
done
|
done
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue